2 * Routines for HTTP packet disassembly
6 * Guy Harris <guy@alum.mit.edu>
8 * Copyright 2004, Jerry Talkington <jtalkington@users.sourceforge.net>
9 * Copyright 2002, Tim Potter <tpot@samba.org>
10 * Copyright 1999, Andrew Tridgell <tridge@samba.org>
12 * Wireshark - Network traffic analyzer
13 * By Gerald Combs <gerald@wireshark.org>
14 * Copyright 1998 Gerald Combs
16 * This program is free software; you can redistribute it and/or
17 * modify it under the terms of the GNU General Public License
18 * as published by the Free Software Foundation; either version 2
19 * of the License, or (at your option) any later version.
21 * This program is distributed in the hope that it will be useful,
22 * but WITHOUT ANY WARRANTY; without even the implied warranty of
23 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
24 * GNU General Public License for more details.
26 * You should have received a copy of the GNU General Public License
27 * along with this program; if not, write to the Free Software
28 * Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
39 #include <epan/conversation.h>
40 #include <epan/packet.h>
41 #include <epan/strutil.h>
42 #include <wsutil/base64.h>
43 #include <epan/stats_tree.h>
44 #include <epan/to_str.h>
46 #include <epan/req_resp_hdrs.h>
47 #include "packet-http.h"
48 #include "packet-tcp.h"
49 #include "packet-ssl.h"
50 #include <epan/prefs.h>
51 #include <epan/expert.h>
53 #include <epan/wmem/wmem.h>
55 typedef enum _http_type {
64 void proto_register_http(void);
65 void proto_reg_handoff_http(void);
66 void proto_register_message_http(void);
67 void proto_reg_handoff_message_http(void);
69 static int http_tap = -1;
70 static int http_eo_tap = -1;
72 static int proto_http = -1;
73 static int hf_http_notification = -1;
74 static int hf_http_response = -1;
75 static int hf_http_request = -1;
76 static int hf_http_response_line = -1;
77 static int hf_http_request_line = -1;
78 static int hf_http_basic = -1;
79 static int hf_http_request_method = -1;
80 static int hf_http_request_uri = -1;
81 static int hf_http_request_full_uri = -1;
82 static int hf_http_version = -1;
83 static int hf_http_response_code = -1;
84 static int hf_http_response_phrase = -1;
85 static int hf_http_authorization = -1;
86 static int hf_http_proxy_authenticate = -1;
87 static int hf_http_proxy_authorization = -1;
88 static int hf_http_proxy_connect_host = -1;
89 static int hf_http_proxy_connect_port = -1;
90 static int hf_http_www_authenticate = -1;
91 static int hf_http_content_type = -1;
92 static int hf_http_content_length_header = -1;
93 static int hf_http_content_length = -1;
94 static int hf_http_content_encoding = -1;
95 static int hf_http_transfer_encoding = -1;
96 static int hf_http_upgrade = -1;
97 static int hf_http_user_agent = -1;
98 static int hf_http_host = -1;
99 static int hf_http_connection = -1;
100 static int hf_http_cookie = -1;
101 static int hf_http_accept = -1;
102 static int hf_http_referer = -1;
103 static int hf_http_accept_language = -1;
104 static int hf_http_accept_encoding = -1;
105 static int hf_http_date = -1;
106 static int hf_http_cache_control = -1;
107 static int hf_http_server = -1;
108 static int hf_http_location = -1;
109 static int hf_http_sec_websocket_accept = -1;
110 static int hf_http_sec_websocket_extensions = -1;
111 static int hf_http_sec_websocket_key = -1;
112 static int hf_http_sec_websocket_protocol = -1;
113 static int hf_http_sec_websocket_version = -1;
114 static int hf_http_set_cookie = -1;
115 static int hf_http_last_modified = -1;
116 static int hf_http_x_forwarded_for = -1;
117 static int hf_http_request_in = -1;
118 static int hf_http_response_in = -1;
119 static int hf_http_next_request_in = -1;
120 static int hf_http_next_response_in = -1;
121 static int hf_http_prev_request_in = -1;
122 static int hf_http_prev_response_in = -1;
123 static int hf_http_time = -1;
125 static gint ett_http = -1;
126 static gint ett_http_ntlmssp = -1;
127 static gint ett_http_kerberos = -1;
128 static gint ett_http_request = -1;
129 static gint ett_http_chunked_response = -1;
130 static gint ett_http_chunk_data = -1;
131 static gint ett_http_encoded_entity = -1;
132 static gint ett_http_header_item = -1;
134 static expert_field ei_http_chat = EI_INIT;
135 static expert_field ei_http_chunked_and_length = EI_INIT;
136 static expert_field ei_http_subdissector_failed = EI_INIT;
138 static dissector_handle_t http_handle;
140 static dissector_handle_t data_handle;
141 static dissector_handle_t media_handle;
142 static dissector_handle_t websocket_handle;
143 static dissector_handle_t http2_handle;
145 /* Stuff for generation/handling of fields for custom HTTP headers */
146 typedef struct _header_field_t {
151 static header_field_t* header_fields = NULL;
152 static guint num_header_fields = 0;
154 static GHashTable* header_fields_hash = NULL;
157 header_fields_update_cb(void *r, const char **err)
159 header_field_t *rec = (header_field_t *)r;
162 if (rec->header_name == NULL) {
163 *err = g_strdup("Header name can't be empty");
167 g_strstrip(rec->header_name);
168 if (rec->header_name[0] == 0) {
169 *err = g_strdup("Header name can't be empty");
173 /* Check for invalid characters (to avoid asserting out when
174 * registering the field).
176 c = proto_check_field_name(rec->header_name);
178 *err = g_strdup_printf("Header name can't contain '%c'", c);
186 header_fields_copy_cb(void* n, const void* o, size_t siz _U_)
188 header_field_t* new_rec = (header_field_t*)n;
189 const header_field_t* old_rec = (const header_field_t*)o;
191 if (old_rec->header_name) {
192 new_rec->header_name = g_strdup(old_rec->header_name);
194 new_rec->header_name = NULL;
197 if (old_rec->header_desc) {
198 new_rec->header_desc = g_strdup(old_rec->header_desc);
200 new_rec->header_desc = NULL;
207 header_fields_free_cb(void*r)
209 header_field_t* rec = (header_field_t*)r;
211 if (rec->header_name)
212 g_free(rec->header_name);
213 if (rec->header_desc)
214 g_free(rec->header_desc);
217 UAT_CSTRING_CB_DEF(header_fields, header_name, header_field_t)
218 UAT_CSTRING_CB_DEF(header_fields, header_desc, header_field_t)
221 * desegmentation of HTTP headers
222 * (when we are over TCP or another protocol providing the desegmentation API)
224 static gboolean http_desegment_headers = TRUE;
227 * desegmentation of HTTP bodies
228 * (when we are over TCP or another protocol providing the desegmentation API)
229 * TODO let the user filter on content-type the bodies he wants desegmented
231 static gboolean http_desegment_body = TRUE;
234 * De-chunking of content-encoding: chunk entity bodies.
236 static gboolean http_dechunk_body = TRUE;
239 * Decompression of zlib encoded entities.
242 static gboolean http_decompress_body = TRUE;
244 static gboolean http_decompress_body = FALSE;
247 /* Simple Service Discovery Protocol
248 * SSDP is implemented atop HTTP (yes, it really *does* run over UDP).
249 * SSDP is the discovery protocol of Universal Plug and Play
250 * UPnP http://www.upnp.org/specs/arch/UPnP-arch-DeviceArchitecture-v1.1.pdf
252 #define TCP_PORT_SSDP 1900
253 #define UDP_PORT_SSDP 1900
258 * 2710 is the XBT BitTorrent tracker
261 #define TCP_DEFAULT_RANGE "80,3128,3132,5985,8080,8088,11371,1900,2869,2710"
262 #define SSL_DEFAULT_RANGE "443"
264 #define UPGRADE_WEBSOCKET 1
265 #define UPGRADE_HTTP2 2
267 static range_t *global_http_tcp_range = NULL;
268 static range_t *global_http_ssl_range = NULL;
270 static range_t *http_tcp_range = NULL;
271 static range_t *http_ssl_range = NULL;
273 typedef void (*ReqRespDissector)(tvbuff_t*, proto_tree*, int, const guchar*,
274 const guchar*, http_conv_t *);
277 * Structure holding information from headers needed by main
278 * HTTP dissector code.
282 char *content_type_parameters;
283 gboolean have_content_length;
284 gint64 content_length;
285 char *content_encoding;
286 char *transfer_encoding;
290 static int is_http_request_or_reply(const gchar *data, int linelen,
291 http_type_t *type, ReqRespDissector
292 *reqresp_dissector, http_conv_t *conv_data);
293 static int chunked_encoding_dissector(tvbuff_t **tvb_ptr, packet_info *pinfo,
294 proto_tree *tree, int offset);
295 static void process_header(tvbuff_t *tvb, int offset, int next_offset,
296 const guchar *line, int linelen, int colon_offset,
297 packet_info *pinfo, proto_tree *tree,
298 headers_t *eh_ptr, http_conv_t *conv_data,
300 static gint find_header_hf_value(tvbuff_t *tvb, int offset, guint header_len);
301 static gboolean check_auth_ntlmssp(proto_item *hdr_item, tvbuff_t *tvb,
302 packet_info *pinfo, gchar *value);
303 static gboolean check_auth_basic(proto_item *hdr_item, tvbuff_t *tvb,
305 static gboolean check_auth_kerberos(proto_item *hdr_item, tvbuff_t *tvb,
306 packet_info *pinfo, const gchar *value);
308 static dissector_table_t port_subdissector_table;
309 static dissector_table_t media_type_subdissector_table;
310 static heur_dissector_list_t heur_subdissector_list;
312 static dissector_handle_t ntlmssp_handle;
313 static dissector_handle_t gssapi_handle;
315 /* --- HTTP Status Codes */
316 /* Note: The reference for uncommented entries is RFC 2616 */
317 static const value_string vals_status_code[] = {
319 { 101, "Switching Protocols" },
320 { 102, "Processing" }, /* RFC 2518 */
321 { 199, "Informational - Others" },
326 { 203, "Non-authoritative Information"},
327 { 204, "No Content"},
328 { 205, "Reset Content"},
329 { 206, "Partial Content"},
330 { 207, "Multi-Status"}, /* RFC 4918 */
331 { 226, "IM Used"}, /* RFC 3229 */
332 { 299, "Success - Others"},
334 { 300, "Multiple Choices"},
335 { 301, "Moved Permanently"},
338 { 304, "Not Modified"},
340 { 307, "Temporary Redirect"},
341 { 399, "Redirection - Others"},
343 { 400, "Bad Request"},
344 { 401, "Unauthorized"},
345 { 402, "Payment Required"},
348 { 405, "Method Not Allowed"},
349 { 406, "Not Acceptable"},
350 { 407, "Proxy Authentication Required"},
351 { 408, "Request Time-out"},
354 { 411, "Length Required"},
355 { 412, "Precondition Failed"},
356 { 413, "Request Entity Too Large"},
357 { 414, "Request-URI Too Long"},
358 { 415, "Unsupported Media Type"},
359 { 416, "Requested Range Not Satisfiable"},
360 { 417, "Expectation Failed"},
361 { 418, "I'm a teapot"}, /* RFC 2324 */
362 { 422, "Unprocessable Entity"}, /* RFC 4918 */
363 { 423, "Locked"}, /* RFC 4918 */
364 { 424, "Failed Dependency"}, /* RFC 4918 */
365 { 426, "Upgrade Required"}, /* RFC 2817 */
366 { 428, "Precondition Required"}, /* RFC 6585 */
367 { 429, "Too Many Requests"}, /* RFC 6585 */
368 { 431, "Request Header Fields Too Large"}, /* RFC 6585 */
369 { 499, "Client Error - Others"},
371 { 500, "Internal Server Error"},
372 { 501, "Not Implemented"},
373 { 502, "Bad Gateway"},
374 { 503, "Service Unavailable"},
375 { 504, "Gateway Time-out"},
376 { 505, "HTTP Version not supported"},
377 { 507, "Insufficient Storage"}, /* RFC 4918 */
378 { 511, "Network Authentication Required"}, /* RFC 6585 */
379 { 599, "Server Error - Others"},
384 static const gchar* st_str_reqs = "HTTP Requests by Server";
385 static const gchar* st_str_reqs_by_srv_addr = "HTTP Requests by Server Address";
386 static const gchar* st_str_reqs_by_http_host = "HTTP Requests by HTTP Host";
387 static const gchar* st_str_resps_by_srv_addr = "HTTP Responses by Server Address";
389 static int st_node_reqs = -1;
390 static int st_node_reqs_by_srv_addr = -1;
391 static int st_node_reqs_by_http_host = -1;
392 static int st_node_resps_by_srv_addr = -1;
394 /* HTTP/Load Distribution stats init function */
396 http_reqs_stats_tree_init(stats_tree* st)
398 st_node_reqs = stats_tree_create_node(st, st_str_reqs, 0, TRUE);
399 st_node_reqs_by_srv_addr = stats_tree_create_node(st, st_str_reqs_by_srv_addr, st_node_reqs, TRUE);
400 st_node_reqs_by_http_host = stats_tree_create_node(st, st_str_reqs_by_http_host, st_node_reqs, TRUE);
401 st_node_resps_by_srv_addr = stats_tree_create_node(st, st_str_resps_by_srv_addr, 0, TRUE);
404 /* HTTP/Load Distribution stats packet function */
406 http_reqs_stats_tree_packet(stats_tree* st, packet_info* pinfo, epan_dissect_t* edt _U_, const void* p)
408 const http_info_value_t* v = (const http_info_value_t*)p;
409 int reqs_by_this_host;
410 int reqs_by_this_addr;
411 int resps_by_this_addr;
412 int i = v->response_code;
416 if (v->request_method) {
417 ip_str = ep_address_to_str(&pinfo->dst);
419 tick_stat_node(st, st_str_reqs, 0, FALSE);
420 tick_stat_node(st, st_str_reqs_by_srv_addr, st_node_reqs, TRUE);
421 tick_stat_node(st, st_str_reqs_by_http_host, st_node_reqs, TRUE);
422 reqs_by_this_addr = tick_stat_node(st, ip_str, st_node_reqs_by_srv_addr, TRUE);
425 reqs_by_this_host = tick_stat_node(st, v->http_host, st_node_reqs_by_http_host, TRUE);
426 tick_stat_node(st, ip_str, reqs_by_this_host, FALSE);
428 tick_stat_node(st, v->http_host, reqs_by_this_addr, FALSE);
434 ip_str = ep_address_to_str(&pinfo->src);
436 tick_stat_node(st, st_str_resps_by_srv_addr, 0, FALSE);
437 resps_by_this_addr = tick_stat_node(st, ip_str, st_node_resps_by_srv_addr, TRUE);
439 if ( (i>100)&&(i<400) ) {
440 tick_stat_node(st, "OK", resps_by_this_addr, FALSE);
442 tick_stat_node(st, "KO", resps_by_this_addr, FALSE);
452 static int st_node_requests_by_host = -1;
453 static const gchar *st_str_requests_by_host = "HTTP Requests by HTTP Host";
455 /* HTTP/Requests stats init function */
457 http_req_stats_tree_init(stats_tree* st)
459 st_node_requests_by_host = stats_tree_create_node(st, st_str_requests_by_host, 0, TRUE);
462 /* HTTP/Requests stats packet function */
464 http_req_stats_tree_packet(stats_tree* st, packet_info* pinfo _U_, epan_dissect_t* edt _U_, const void* p)
466 const http_info_value_t* v = (const http_info_value_t*)p;
467 int reqs_by_this_host;
469 if (v->request_method) {
470 tick_stat_node(st, st_str_requests_by_host, 0, FALSE);
473 reqs_by_this_host = tick_stat_node(st, v->http_host, st_node_requests_by_host, TRUE);
475 if (v->request_uri) {
476 tick_stat_node(st, v->request_uri, reqs_by_this_host, TRUE);
486 static const gchar *st_str_packets = "Total HTTP Packets";
487 static const gchar *st_str_requests = "HTTP Request Packets";
488 static const gchar *st_str_responses = "HTTP Response Packets";
489 static const gchar *st_str_resp_broken = "???: broken";
490 static const gchar *st_str_resp_100 = "1xx: Informational";
491 static const gchar *st_str_resp_200 = "2xx: Success";
492 static const gchar *st_str_resp_300 = "3xx: Redirection";
493 static const gchar *st_str_resp_400 = "4xx: Client Error";
494 static const gchar *st_str_resp_500 = "5xx: Server Error";
495 static const gchar *st_str_other = "Other HTTP Packets";
497 static int st_node_packets = -1;
498 static int st_node_requests = -1;
499 static int st_node_responses = -1;
500 static int st_node_resp_broken = -1;
501 static int st_node_resp_100 = -1;
502 static int st_node_resp_200 = -1;
503 static int st_node_resp_300 = -1;
504 static int st_node_resp_400 = -1;
505 static int st_node_resp_500 = -1;
506 static int st_node_other = -1;
509 /* HTTP/Packet Counter stats init function */
511 http_stats_tree_init(stats_tree* st)
513 st_node_packets = stats_tree_create_node(st, st_str_packets, 0, TRUE);
514 st_node_requests = stats_tree_create_pivot(st, st_str_requests, st_node_packets);
515 st_node_responses = stats_tree_create_node(st, st_str_responses, st_node_packets, TRUE);
516 st_node_resp_broken = stats_tree_create_node(st, st_str_resp_broken, st_node_responses, TRUE);
517 st_node_resp_100 = stats_tree_create_node(st, st_str_resp_100, st_node_responses, TRUE);
518 st_node_resp_200 = stats_tree_create_node(st, st_str_resp_200, st_node_responses, TRUE);
519 st_node_resp_300 = stats_tree_create_node(st, st_str_resp_300, st_node_responses, TRUE);
520 st_node_resp_400 = stats_tree_create_node(st, st_str_resp_400, st_node_responses, TRUE);
521 st_node_resp_500 = stats_tree_create_node(st, st_str_resp_500, st_node_responses, TRUE);
522 st_node_other = stats_tree_create_node(st, st_str_other, st_node_packets,FALSE);
525 /* HTTP/Packet Counter stats packet function */
527 http_stats_tree_packet(stats_tree* st, packet_info* pinfo _U_, epan_dissect_t* edt _U_, const void* p)
529 const http_info_value_t* v = (const http_info_value_t*)p;
530 guint i = v->response_code;
532 const gchar *resp_str;
535 tick_stat_node(st, st_str_packets, 0, FALSE);
538 tick_stat_node(st, st_str_responses, st_node_packets, FALSE);
540 if ( (i<100)||(i>=600) ) {
541 resp_grp = st_node_resp_broken;
542 resp_str = st_str_resp_broken;
544 resp_grp = st_node_resp_100;
545 resp_str = st_str_resp_100;
547 resp_grp = st_node_resp_200;
548 resp_str = st_str_resp_200;
550 resp_grp = st_node_resp_300;
551 resp_str = st_str_resp_300;
553 resp_grp = st_node_resp_400;
554 resp_str = st_str_resp_400;
556 resp_grp = st_node_resp_500;
557 resp_str = st_str_resp_500;
560 tick_stat_node(st, resp_str, st_node_responses, FALSE);
562 g_snprintf(str, sizeof(str), "%u %s", i,
563 val_to_str(i, vals_status_code, "Unknown (%d)"));
564 tick_stat_node(st, str, resp_grp, FALSE);
565 } else if (v->request_method) {
566 stats_tree_tick_pivot(st,st_node_requests,v->request_method);
568 tick_stat_node(st, st_str_other, st_node_packets, FALSE);
576 dissect_http_ntlmssp(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree,
579 tvbuff_t *ntlmssp_tvb;
581 ntlmssp_tvb = base64_to_tvb(tvb, line);
582 add_new_data_source(pinfo, ntlmssp_tvb, "NTLMSSP / GSSAPI Data");
583 if (tvb_strneql(ntlmssp_tvb, 0, "NTLMSSP", 7) == 0)
584 call_dissector(ntlmssp_handle, ntlmssp_tvb, pinfo, tree);
586 call_dissector(gssapi_handle, ntlmssp_tvb, pinfo, tree);
590 dissect_http_kerberos(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree,
593 tvbuff_t *kerberos_tvb;
595 kerberos_tvb = base64_to_tvb(tvb, line + 9); /* skip 'Kerberos ' which is 9 chars */
596 add_new_data_source(pinfo, kerberos_tvb, "Kerberos Data");
597 call_dissector(gssapi_handle, kerberos_tvb, pinfo, tree);
603 get_http_conversation_data(packet_info *pinfo)
605 conversation_t *conversation;
606 http_conv_t *conv_data;
608 conversation = find_or_create_conversation(pinfo);
610 /* Retrieve information from conversation
611 * or add it if it isn't there yet
613 conv_data = (http_conv_t *)conversation_get_proto_data(conversation, proto_http);
615 /* Setup the conversation structure itself */
616 conv_data = (http_conv_t *)wmem_alloc0(wmem_file_scope(), sizeof(http_conv_t));
618 conversation_add_proto_data(conversation, proto_http,
626 * create a new http_req_res_t and add it to the conversation.
627 * @return the new allocated object which is already added to the linked list
629 static http_req_res_t* push_req_res(http_conv_t *conv_data)
631 http_req_res_t *req_res = (http_req_res_t *)wmem_alloc0(wmem_file_scope(), sizeof(http_req_res_t));
632 nstime_set_unset(&(req_res->req_ts));
633 req_res->number = ++conv_data->req_res_num;
635 if (! conv_data->req_res_tail) {
636 conv_data->req_res_tail = req_res;
638 req_res->prev = conv_data->req_res_tail;
639 conv_data->req_res_tail->next = req_res;
640 conv_data->req_res_tail = req_res;
647 * push a request frame number and its time stamp to the conversation data.
649 static void push_req(http_conv_t *conv_data, packet_info *pinfo)
651 /* a request will always create a new http_req_res_t object */
652 http_req_res_t *req_res = push_req_res(conv_data);
654 req_res->req_framenum = pinfo->fd->num;
655 req_res->req_ts = pinfo->fd->abs_ts;
657 p_add_proto_data(wmem_file_scope(), pinfo, proto_http, 0, req_res);
661 * push a response frame number to the conversation data.
663 static void push_res(http_conv_t *conv_data, packet_info *pinfo)
665 /* a response will create a new http_req_res_t object: if no
666 object exists, or if one exists for another response. In
667 both cases the corresponding request was not
668 detected/included in the conversation. In all other cases
669 the http_req_res_t object created by the request is
671 http_req_res_t *req_res = conv_data->req_res_tail;
672 if (!req_res || req_res->res_framenum > 0) {
673 req_res = push_req_res(conv_data);
675 req_res->res_framenum = pinfo->fd->num;
676 p_add_proto_data(wmem_file_scope(), pinfo, proto_http, 0, req_res);
680 * TODO: remove this ugly global variable.
681 * XXX: do we really want to have to pass this from one function to another?
683 static http_info_value_t *stat_info;
686 dissect_http_message(tvbuff_t *tvb, int offset, packet_info *pinfo,
687 proto_tree *tree, http_conv_t *conv_data)
689 const char *proto_tag;
690 proto_tree *http_tree = NULL;
691 proto_item *ti = NULL;
692 proto_item *hidden_item;
695 const guchar *linep, *lineend;
697 int first_linelen, linelen;
698 gboolean is_request_or_reply;
699 gboolean saw_req_resp_or_header;
701 http_type_t http_type;
702 proto_item *hdr_item = NULL;
703 ReqRespDissector reqresp_dissector;
704 proto_tree *req_tree;
708 int reported_datalen = -1;
709 dissector_handle_t handle;
710 gboolean dissected = FALSE;
712 /*http_info_value_t *si;*/
716 * Is this a request or response?
718 * Note that "tvb_find_line_end()" will return a value that
719 * is not longer than what's in the buffer, so the
720 * "tvb_get_ptr()" call won't throw an exception.
722 first_linelen = tvb_find_line_end(tvb, offset,
723 tvb_ensure_length_remaining(tvb, offset), &next_offset,
726 if (first_linelen == -1) {
727 /* No complete line was found in this segment, do
728 * desegmentation if we're told to.
730 if (!req_resp_hdrs_do_reassembly(tvb, offset, pinfo,
731 http_desegment_headers, http_desegment_body)) {
733 * More data needed for desegmentation.
740 * Is the first line a request or response?
742 line = tvb_get_ptr(tvb, offset, first_linelen);
743 http_type = HTTP_OTHERS; /* type not known yet */
744 is_request_or_reply = is_http_request_or_reply((const gchar *)line,
745 first_linelen, &http_type, NULL, conv_data);
746 if (is_request_or_reply) {
748 * Yes, it's a request or response.
749 * Do header desegmentation if we've been told to,
750 * and do body desegmentation if we've been told to and
751 * we find a Content-Length header.
753 if (!req_resp_hdrs_do_reassembly(tvb, offset, pinfo,
754 http_desegment_headers, http_desegment_body)) {
756 * More data needed for desegmentation.
762 stat_info = wmem_new(wmem_packet_scope(), http_info_value_t);
763 stat_info->framenum = pinfo->fd->num;
764 stat_info->response_code = 0;
765 stat_info->request_method = NULL;
766 stat_info->request_uri = NULL;
767 stat_info->http_host = NULL;
769 switch (pinfo->match_uint) {
771 case TCP_PORT_SSDP: /* TCP_PORT_SSDP = UDP_PORT_SSDP */
780 col_set_str(pinfo->cinfo, COL_PROTOCOL, proto_tag);
782 * Put the first line from the buffer into the summary
783 * if it's an HTTP request or reply (but leave out the
785 * Otherwise, just call it a continuation.
787 * Note that "tvb_find_line_end()" will return a value that
788 * is not longer than what's in the buffer, so the
789 * "tvb_get_ptr()" call won't throw an exception.
791 if (is_request_or_reply) {
792 line = tvb_get_ptr(tvb, offset, first_linelen);
793 col_add_fstr(pinfo->cinfo, COL_INFO, "%s ", format_text(line, first_linelen));
796 col_set_str(pinfo->cinfo, COL_INFO, "Continuation or non-HTTP traffic");
798 orig_offset = offset;
800 ti = proto_tree_add_item(tree, proto_http, tvb, offset, -1,
802 http_tree = proto_item_add_subtree(ti, ett_http);
806 * Process the packet data, a line at a time.
808 http_type = HTTP_OTHERS; /* type not known yet */
809 headers.content_type = NULL; /* content type not known yet */
810 headers.content_type_parameters = NULL; /* content type parameters too */
811 headers.have_content_length = FALSE; /* content length not known yet */
812 headers.content_length = 0; /* content length set to 0 (avoid a gcc warning) */
813 headers.content_encoding = NULL; /* content encoding not known yet */
814 headers.transfer_encoding = NULL; /* transfer encoding not known yet */
815 headers.upgrade = 0; /* assume we're not upgrading */
816 saw_req_resp_or_header = FALSE; /* haven't seen anything yet */
817 while (tvb_reported_length_remaining(tvb, offset) > 0) {
819 * Find the end of the line.
820 * XXX - what if we don't find it because the packet
821 * is cut short by a snapshot length or the header is
822 * split across TCP segments? How much dissection should
825 linelen = tvb_find_line_end(tvb, offset,
826 tvb_ensure_length_remaining(tvb, offset), &next_offset,
832 * Get a buffer that refers to the line.
834 line = tvb_get_ptr(tvb, offset, linelen);
835 lineend = line + linelen;
839 * OK, does it look like an HTTP request or response?
841 reqresp_dissector = NULL;
842 is_request_or_reply =
843 is_http_request_or_reply((const gchar *)line,
844 linelen, &http_type, &reqresp_dissector, conv_data);
845 if (is_request_or_reply)
849 * No. Does it look like a blank line (as would appear
850 * at the end of an HTTP request)?
853 goto is_http; /* Yes. */
856 * No. Does it look like a header?
859 colon_offset = offset;
860 while (linep < lineend) {
864 * This must be a CHAR to be part of a token; that
865 * means it must be ASCII.
868 break; /* not ASCII, thus not a CHAR */
871 * This mustn't be a CTL to be part of a token.
873 * XXX - what about leading LWS on continuation
877 break; /* CTL, not part of a header */
880 * This mustn't be a SEP to be part of a token;
881 * a ':' ends the token, everything else is an
882 * indication that this isn't a header.
904 * It's a separator, so it's not part of a
905 * token, so it's not a field name for the
906 * beginning of a header.
908 * (We don't have to check for HT; that's
909 * already been ruled out by "iscntrl()".)
915 * This ends the token; we consider this
927 * We haven't seen the colon, but everything else looks
928 * OK for a header line.
930 * If we've already seen an HTTP request or response
931 * line, or a header line, and we're at the end of
932 * the tvbuff, we assume this is an incomplete header
933 * line. (We quit this loop after seeing a blank line,
934 * so if we've seen a request or response line, or a
935 * header line, this is probably more of the request
936 * or response we're presumably seeing. There is some
937 * risk of false positives, but the same applies for
938 * full request or response lines or header lines,
939 * although that's less likely.)
941 * We throw an exception in that case, by checking for
942 * the existence of the next byte after the last one
943 * in the line. If it exists, "tvb_ensure_bytes_exist()"
944 * throws no exception, and we fall through to the
945 * "not HTTP" case. If it doesn't exist,
946 * "tvb_ensure_bytes_exist()" will throw the appropriate
949 if (saw_req_resp_or_header)
950 tvb_ensure_bytes_exist(tvb, offset, linelen + 1);
954 * We don't consider this part of an HTTP request or
955 * reply, so we don't display it.
956 * (Yeah, that means we don't display, say, a text/http
957 * page, but you can get that from the data pane.)
967 * This is a blank line, which means that
968 * whatever follows it isn't part of this
971 proto_tree_add_text(http_tree, tvb, offset,
972 next_offset - offset, "%s",
973 tvb_format_text(tvb, offset, next_offset - offset));
974 offset = next_offset;
979 * Not a blank line - either a request, a reply, or a header
982 saw_req_resp_or_header = TRUE;
983 if (is_request_or_reply) {
984 char *text = tvb_format_text(tvb, offset, next_offset - offset);
986 hdr_item = proto_tree_add_text(http_tree, tvb,
987 offset, next_offset - offset, "%s", text);
989 expert_add_info_format(pinfo, hdr_item, &ei_http_chat, "%s", text);
990 if (reqresp_dissector) {
991 if (tree) req_tree = proto_item_add_subtree(hdr_item, ett_http_request);
992 else req_tree = NULL;
994 reqresp_dissector(tvb, req_tree, offset, line,
1002 process_header(tvb, offset, next_offset, line, linelen,
1003 colon_offset, pinfo, http_tree, &headers, conv_data,
1006 offset = next_offset;
1009 if (tree && stat_info->http_host && stat_info->request_uri) {
1011 gboolean is_ssl = FALSE;
1014 proto_get_frame_protocols(pinfo->layers, NULL, NULL, NULL, NULL, &is_ssl);
1015 uri = wmem_strdup_printf(wmem_packet_scope(), "%s://%s%s",
1016 is_ssl ? "https" : "http",
1017 g_strstrip(wmem_strdup(wmem_packet_scope(), stat_info->http_host)), stat_info->request_uri);
1019 e_ti = proto_tree_add_string(http_tree,
1020 hf_http_request_full_uri, tvb, 0,
1023 PROTO_ITEM_SET_URL(e_ti);
1024 PROTO_ITEM_SET_GENERATED(e_ti);
1027 if (!PINFO_FD_VISITED(pinfo)) {
1028 if (http_type == HTTP_REQUEST) {
1029 push_req(conv_data, pinfo);
1030 } else if (http_type == HTTP_RESPONSE) {
1031 push_res(conv_data, pinfo);
1037 http_req_res_t *curr = (http_req_res_t *)p_get_proto_data(wmem_file_scope(), pinfo, proto_http, 0);
1038 http_req_res_t *prev = curr ? curr->prev : NULL;
1039 http_req_res_t *next = curr ? curr->next : NULL;
1041 switch (http_type) {
1043 case HTTP_NOTIFICATION:
1044 hidden_item = proto_tree_add_boolean(http_tree,
1045 hf_http_notification, tvb, 0, 0, 1);
1046 PROTO_ITEM_SET_HIDDEN(hidden_item);
1050 hidden_item = proto_tree_add_boolean(http_tree,
1051 hf_http_response, tvb, 0, 0, 1);
1052 PROTO_ITEM_SET_HIDDEN(hidden_item);
1057 pi = proto_tree_add_text(http_tree, tvb, 0, 0, "HTTP response %u/%u", curr->number, conv_data->req_res_num);
1058 PROTO_ITEM_SET_GENERATED(pi);
1060 if (! nstime_is_unset(&(curr->req_ts))) {
1061 nstime_delta(&delta, &pinfo->fd->abs_ts, &(curr->req_ts));
1062 pi = proto_tree_add_time(http_tree, hf_http_time, tvb, 0, 0, &delta);
1063 PROTO_ITEM_SET_GENERATED(pi);
1066 if (prev && prev->req_framenum) {
1067 pi = proto_tree_add_uint(http_tree, hf_http_prev_request_in, tvb, 0, 0, prev->req_framenum);
1068 PROTO_ITEM_SET_GENERATED(pi);
1070 if (prev && prev->res_framenum) {
1071 pi = proto_tree_add_uint(http_tree, hf_http_prev_response_in, tvb, 0, 0, prev->res_framenum);
1072 PROTO_ITEM_SET_GENERATED(pi);
1074 if (curr && curr->req_framenum) {
1075 pi = proto_tree_add_uint(http_tree, hf_http_request_in, tvb, 0, 0, curr->req_framenum);
1076 PROTO_ITEM_SET_GENERATED(pi);
1078 if (next && next->req_framenum) {
1079 pi = proto_tree_add_uint(http_tree, hf_http_next_request_in, tvb, 0, 0, next->req_framenum);
1080 PROTO_ITEM_SET_GENERATED(pi);
1082 if (next && next->res_framenum) {
1083 pi = proto_tree_add_uint(http_tree, hf_http_next_response_in, tvb, 0, 0, next->res_framenum);
1084 PROTO_ITEM_SET_GENERATED(pi);
1090 hidden_item = proto_tree_add_boolean(http_tree,
1091 hf_http_request, tvb, 0, 0, 1);
1092 PROTO_ITEM_SET_HIDDEN(hidden_item);
1095 pi = proto_tree_add_text(http_tree, tvb, 0, 0, "HTTP request %u/%u", curr->number, conv_data->req_res_num);
1096 PROTO_ITEM_SET_GENERATED(pi);
1098 if (prev && prev->req_framenum) {
1099 pi = proto_tree_add_uint(http_tree, hf_http_prev_request_in, tvb, 0, 0, prev->req_framenum);
1100 PROTO_ITEM_SET_GENERATED(pi);
1102 if (curr && curr->res_framenum) {
1103 pi = proto_tree_add_uint(http_tree, hf_http_response_in, tvb, 0, 0, curr->res_framenum);
1104 PROTO_ITEM_SET_GENERATED(pi);
1106 if (next && next->req_framenum) {
1107 pi = proto_tree_add_uint(http_tree, hf_http_next_request_in, tvb, 0, 0, next->req_framenum);
1108 PROTO_ITEM_SET_GENERATED(pi);
1119 reported_datalen = tvb_reported_length_remaining(tvb, offset);
1120 datalen = tvb_length_remaining(tvb, offset);
1123 * If a content length was supplied, the amount of data to be
1124 * processed as HTTP payload is the minimum of the content
1125 * length and the amount of data remaining in the frame.
1127 * If a message is received with both a Transfer-Encoding
1128 * header field and a Content-Length header field, the latter
1131 * If no content length was supplied (or if a bad content length
1132 * was supplied), the amount of data to be processed is the amount
1133 * of data remaining in the frame.
1135 * If there was no Content-Length entity header, we should
1136 * accumulate all data until the end of the connection.
1137 * That'd require that the TCP dissector call subdissectors
1138 * for all frames with FIN, even if they contain no data,
1139 * which would require subdissectors to deal intelligently
1140 * with empty segments.
1142 * According to RFC 2616, however, 1xx responses, 204 responses,
1143 * and 304 responses MUST NOT include a message body; if no
1144 * content length is specified for them, we don't attempt to
1147 * XXX - it says the same about responses to HEAD requests;
1148 * unless there's a way to determine from the response
1149 * whether it's a response to a HEAD request, we have to
1150 * keep information about the request and associate that with
1151 * the response in order to handle that.
1153 if (headers.have_content_length &&
1154 headers.content_length != -1 &&
1155 headers.transfer_encoding == NULL) {
1156 if (datalen > headers.content_length)
1157 datalen = (int)headers.content_length;
1160 * XXX - limit the reported length in the tvbuff we'll
1161 * hand to a subdissector to be no greater than the
1164 * We really need both unreassembled and "how long it'd
1165 * be if it were reassembled" lengths for tvbuffs, so
1166 * that we throw the appropriate exceptions for
1167 * "not enough data captured" (running past the length),
1168 * "packet needed reassembly" (within the length but
1169 * running past the unreassembled length), and
1170 * "packet is malformed" (running past the reassembled
1173 if (reported_datalen > headers.content_length)
1174 reported_datalen = (int)headers.content_length;
1176 switch (http_type) {
1180 * Requests have no content if there's no
1181 * Content-Length header and no Transfer-Encoding
1184 if (headers.transfer_encoding == NULL)
1187 reported_datalen = -1;
1191 if ((stat_info->response_code/100) == 1 ||
1192 stat_info->response_code == 204 ||
1193 stat_info->response_code == 304)
1194 datalen = 0; /* no content! */
1197 * XXX - responses to HEAD requests,
1198 * and possibly other responses,
1199 * "MUST NOT" include a
1202 reported_datalen = -1;
1208 * XXX - what about HTTP_NOTIFICATION?
1210 reported_datalen = -1;
1217 * There's stuff left over; process it.
1220 void *save_private_data = NULL;
1221 gboolean private_data_changed = FALSE;
1222 gint chunks_decoded = 0;
1225 * Create a tvbuff for the payload.
1227 * The amount of data to be processed that's
1228 * available in the tvbuff is "datalen", which
1229 * is the minimum of the amount of data left in
1230 * the tvbuff and any specified content length.
1232 * The amount of data to be processed that's in
1233 * this frame, regardless of whether it was
1234 * captured or not, is "reported_datalen",
1235 * which, if no content length was specified,
1236 * is -1, i.e. "to the end of the frame.
1238 next_tvb = tvb_new_subset(tvb, offset, datalen,
1242 * Handle *transfer* encodings other than "identity".
1244 if (headers.transfer_encoding != NULL &&
1245 g_ascii_strcasecmp(headers.transfer_encoding, "identity") != 0) {
1246 if (http_dechunk_body &&
1247 (g_ascii_strncasecmp(headers.transfer_encoding, "chunked", 7)
1250 chunks_decoded = chunked_encoding_dissector(
1251 &next_tvb, pinfo, http_tree, 0);
1253 if (chunks_decoded <= 0) {
1255 * The chunks weren't reassembled,
1256 * or there was a single zero
1259 goto body_dissected;
1262 * Add a new data source for the
1265 #if 0 /* Handled in chunked_encoding_dissector() */
1266 tvb_set_child_real_data_tvbuff(tvb,
1269 add_new_data_source(pinfo, next_tvb,
1270 "De-chunked entity body");
1274 * We currently can't handle, for example,
1275 * "gzip", "compress", or "deflate" as
1276 * *transfer* encodings; just handle them
1279 call_dissector(data_handle, next_tvb, pinfo,
1281 goto body_dissected;
1285 * At this point, any chunked *transfer* coding has been removed
1286 * (the entity body has been dechunked) so it can be presented
1287 * for the following operation (*content* encoding), or it has
1288 * been been handed off to the data dissector.
1290 * Handle *content* encodings other than "identity" (which
1291 * shouldn't appear in a Content-Encoding header, but
1292 * we handle it in any case).
1294 if (headers.content_encoding != NULL &&
1295 g_ascii_strcasecmp(headers.content_encoding, "identity") != 0) {
1297 * We currently can't handle, for example, "compress";
1298 * just handle them as data for now.
1300 * After July 7, 2004 the LZW patent expires, so support
1301 * might be added then. However, I don't think that
1302 * anybody ever really implemented "compress", due to
1303 * the aforementioned patent.
1305 tvbuff_t *uncomp_tvb = NULL;
1306 proto_item *e_ti = NULL;
1307 proto_tree *e_tree = NULL;
1309 if (http_decompress_body &&
1310 (g_ascii_strcasecmp(headers.content_encoding, "gzip") == 0 ||
1311 g_ascii_strcasecmp(headers.content_encoding, "deflate") == 0 ||
1312 g_ascii_strcasecmp(headers.content_encoding, "x-gzip") == 0 ||
1313 g_ascii_strcasecmp(headers.content_encoding, "x-deflate") == 0))
1315 uncomp_tvb = tvb_child_uncompress(tvb, next_tvb, 0,
1316 tvb_length(next_tvb));
1320 * Add the encoded entity to the protocol tree
1322 e_ti = proto_tree_add_text(http_tree, next_tvb,
1323 0, tvb_length(next_tvb),
1324 "Content-encoded entity body (%s): %u bytes",
1325 headers.content_encoding,
1326 tvb_length(next_tvb));
1327 e_tree = proto_item_add_subtree(e_ti,
1328 ett_http_encoded_entity);
1330 if (uncomp_tvb != NULL) {
1332 * Decompression worked
1335 /* XXX - Don't free this, since it's possible
1336 * that the data was only partially
1337 * decompressed, such as when desegmentation
1342 proto_item_append_text(e_ti, " -> %u bytes", tvb_length(uncomp_tvb));
1343 next_tvb = uncomp_tvb;
1344 add_new_data_source(pinfo, next_tvb,
1345 "Uncompressed entity body");
1347 proto_item_append_text(e_ti, " [Error: Decompression failed]");
1348 call_dissector(data_handle, next_tvb, pinfo,
1351 goto body_dissected;
1355 * Note that a new data source is added for the entity body
1356 * only if it was content-encoded and/or transfer-encoded.
1359 /* Save values for the Export Object GUI feature if we have
1360 * an active listener to process it (which happens when
1361 * the export object window is open). */
1362 if(have_tap_listener(http_eo_tap)) {
1363 eo_info = wmem_new(wmem_packet_scope(), http_eo_t);
1365 eo_info->hostname = conv_data->http_host;
1366 eo_info->filename = conv_data->request_uri;
1367 eo_info->content_type = headers.content_type;
1368 eo_info->payload_len = tvb_length(next_tvb);
1369 eo_info->payload_data = tvb_get_ptr(next_tvb, 0, eo_info->payload_len);
1371 tap_queue_packet(http_eo_tap, pinfo, eo_info);
1375 * Do subdissector checks.
1377 * First, if we have a Content-Type value, check whether
1378 * there's a subdissector for that media type.
1381 if (headers.content_type != NULL) {
1383 * We didn't find any subdissector that
1384 * registered for the port, and we have a
1385 * Content-Type value. Is there any subdissector
1386 * for that content type?
1388 save_private_data = pinfo->private_data;
1389 private_data_changed = TRUE;
1391 if (headers.content_type_parameters)
1392 pinfo->private_data = wmem_strdup(wmem_packet_scope(), headers.content_type_parameters);
1394 pinfo->private_data = NULL;
1396 * Calling the string handle for the media type
1397 * dissector table will set pinfo->match_string
1398 * to headers.content_type for us.
1400 pinfo->match_string = headers.content_type;
1401 handle = dissector_get_string_handle(
1402 media_type_subdissector_table,
1403 headers.content_type);
1404 if (handle == NULL &&
1405 strncmp(headers.content_type, "multipart/", sizeof("multipart/")-1) == 0) {
1406 /* Try to decode the unknown multipart subtype anyway */
1407 handle = dissector_get_string_handle(
1408 media_type_subdissector_table,
1414 * Now, if we didn't find such a subdissector, check
1415 * whether some subdissector asked that they be called
1416 * if HTTP traffic was on some particular port. This
1417 * handles protocols that use HTTP syntax but don't have
1418 * a media type and instead use a specified port.
1420 if (handle == NULL) {
1421 handle = dissector_get_uint_handle(port_subdissector_table,
1425 if (handle != NULL) {
1427 * We have a subdissector - call it.
1429 dissected = call_dissector_only(handle, next_tvb, pinfo, tree, NULL);
1431 expert_add_info(pinfo, http_tree, &ei_http_subdissector_failed);
1436 * We don't have a subdissector or we have one and it did not
1437 * dissect the payload - try the heuristic subdissectors.
1439 dissected = dissector_try_heuristic(heur_subdissector_list,
1440 next_tvb, pinfo, tree, NULL);
1445 * The subdissector dissected the body.
1446 * Fix up the top-level item so that it doesn't
1447 * include the stuff for that protocol.
1450 proto_item_set_len(ti, offset);
1452 if (headers.content_type != NULL) {
1454 * Calling the default media handle if there is a content-type that
1455 * wasn't handled above.
1457 call_dissector(media_handle, next_tvb, pinfo, tree);
1459 /* Call the default data dissector */
1460 call_dissector(data_handle, next_tvb, pinfo, http_tree);
1466 * Do *not* attempt at freeing the private data;
1467 * it may be in use by subdissectors.
1469 if (private_data_changed) /*restore even NULL value*/
1470 pinfo->private_data = save_private_data;
1472 * We've processed "datalen" bytes worth of data
1473 * (which may be no data at all); advance the
1474 * offset past whatever data we've processed.
1479 if (http_type == HTTP_RESPONSE && pinfo->desegment_offset<=0 && pinfo->desegment_len<=0) {
1480 conv_data->upgrade = headers.upgrade;
1481 conv_data->startframe = pinfo->fd->num + 1;
1484 tap_queue_packet(http_tap, pinfo, stat_info);
1486 return offset - orig_offset;
1489 /* This can be used to dissect an HTTP request until such time
1490 * that a more complete dissector is written for that HTTP request.
1491 * This simple dissector only puts the request method, URI, and
1492 * protocol version into a sub-tree.
1495 basic_request_dissector(tvbuff_t *tvb, proto_tree *tree, int offset,
1496 const guchar *line, const guchar *lineend,
1497 http_conv_t *conv_data)
1499 const guchar *next_token;
1500 const gchar *request_uri;
1503 /* The first token is the method. */
1504 tokenlen = get_token_len(line, lineend, &next_token);
1507 proto_tree_add_item(tree, hf_http_request_method, tvb, offset, tokenlen,
1509 if ((next_token - line) > 2 && next_token[-1] == ' ' && next_token[-2] == ' ') {
1510 /* Two spaces in a now indicates empty URI, so roll back one here */
1513 offset += (int) (next_token - line);
1516 /* The next token is the URI. */
1517 tokenlen = get_token_len(line, lineend, &next_token);
1519 /* Save the request URI for various later uses */
1520 request_uri = tvb_get_string(wmem_packet_scope(), tvb, offset, tokenlen);
1521 stat_info->request_uri = wmem_strdup(wmem_packet_scope(), request_uri);
1522 conv_data->request_uri = wmem_strdup(wmem_file_scope(), request_uri);
1524 proto_tree_add_string(tree, hf_http_request_uri, tvb, offset, tokenlen,
1526 offset += (int) (next_token - line);
1529 /* Everything to the end of the line is the version. */
1530 tokenlen = (int) (lineend - line);
1531 proto_tree_add_item(tree, hf_http_version, tvb, offset, tokenlen,
1536 basic_response_dissector(tvbuff_t *tvb, proto_tree *tree, int offset,
1537 const guchar *line, const guchar *lineend,
1538 http_conv_t *conv_data _U_)
1540 const guchar *next_token;
1542 gchar response_code_chars[4];
1545 * The first token is the HTTP Version.
1547 tokenlen = get_token_len(line, lineend, &next_token);
1550 proto_tree_add_item(tree, hf_http_version, tvb, offset, tokenlen,
1552 /* Advance to the start of the next token. */
1553 offset += (int) (next_token - line);
1557 * The second token is the Status Code.
1559 tokenlen = get_token_len(line, lineend, &next_token);
1563 /* The Status Code characters must be copied into a null-terminated
1564 * buffer for strtoul() to parse them into an unsigned integer value.
1566 memcpy(response_code_chars, line, 3);
1567 response_code_chars[3] = '\0';
1569 stat_info->response_code = conv_data->response_code =
1570 (guint)strtoul(response_code_chars, NULL, 10);
1572 proto_tree_add_uint(tree, hf_http_response_code, tvb, offset, 3,
1573 stat_info->response_code);
1575 /* Advance to the start of the next token. */
1576 offset += (int) (next_token - line);
1580 * The remaining tokens in the line comprise the Reason Phrase.
1582 tokenlen = (int) (lineend - line);
1585 proto_tree_add_item(tree, hf_http_response_phrase, tvb, offset,
1586 tokenlen, ENC_ASCII|ENC_NA);
1590 #if 0 /* XXX: Replaced by code creating the "Dechunked" tvb O(N) rather tan O(N^2) */
1592 * Dissect the http data chunks and add them to the tree.
1595 chunked_encoding_dissector(tvbuff_t **tvb_ptr, packet_info *pinfo,
1596 proto_tree *tree, int offset)
1598 guint8 *chunk_string = NULL;
1599 guint32 chunk_size = 0;
1600 gint chunk_offset = 0;
1601 guint32 datalen = 0;
1603 gint chunks_decoded = 0;
1604 tvbuff_t *tvb = NULL;
1605 tvbuff_t *new_tvb = NULL;
1606 gint chunked_data_size = 0;
1607 proto_tree *subtree = NULL;
1608 proto_item *ti = NULL;
1610 if (tvb_ptr == NULL || *tvb_ptr == NULL) {
1616 datalen = tvb_reported_length_remaining(tvb, offset);
1619 ti = proto_tree_add_text(tree, tvb, offset, datalen,
1620 "HTTP chunked response");
1621 subtree = proto_item_add_subtree(ti, ett_http_chunked_response);
1625 while (datalen > 0) {
1626 proto_item *chunk_ti = NULL;
1627 proto_tree *chunk_subtree = NULL;
1628 tvbuff_t *data_tvb = NULL; /* */
1633 linelen = tvb_find_line_end(tvb, offset, -1, &chunk_offset, TRUE);
1636 /* Can't get the chunk size line */
1640 chunk_string = tvb_get_string(wmem_packet_scope(), tvb, offset, linelen);
1642 if (chunk_string == NULL) {
1643 /* Can't get the chunk size line */
1647 c = (gchar*) chunk_string;
1650 * We don't care about the extensions.
1652 if ((c = strchr(c, ';'))) {
1656 chunk_size = (guint32)strtol((gchar*)chunk_string, NULL, 16);
1658 if (chunk_size > datalen) {
1660 * The chunk size is more than what's in the tvbuff,
1661 * so either the user hasn't enabled decoding, or all
1662 * of the segments weren't captured.
1664 chunk_size = datalen;
1667 else if (new_tvb == NULL) {
1668 new_tvb = tvb_new_composite();
1673 if (new_tvb != NULL && chunk_size != 0) {
1674 tvbuff_t *chunk_tvb = NULL;
1676 chunk_tvb = tvb_new_subset(tvb, chunk_offset,
1677 chunk_size, datalen);
1679 tvb_composite_append(new_tvb, chunk_tvb);
1684 chunked_data_size += chunk_size;
1686 raw_data = g_malloc(chunked_data_size);
1689 if (new_tvb != NULL) {
1690 raw_len = tvb_length_remaining(new_tvb, 0);
1691 tvb_memcpy(new_tvb, raw_data, 0, raw_len);
1696 tvb_memcpy(tvb, (guint8 *)(raw_data + raw_len),
1697 chunk_offset, chunk_size);
1699 /* Don't create a new tvb if we have a single chunk with
1700 * a size of zero (meaning it is the end of the chunks). */
1701 if(chunked_data_size > 0) {
1702 new_tvb = tvb_new_real_data(raw_data,
1703 chunked_data_size, chunked_data_size);
1704 tvb_set_free_cb(new_tvb, g_free);
1709 if(chunk_size == 0) {
1710 chunk_ti = proto_tree_add_text(subtree, tvb,
1712 chunk_offset - offset + chunk_size + 2,
1713 "End of chunked encoding");
1715 chunk_ti = proto_tree_add_text(subtree, tvb,
1717 chunk_offset - offset + chunk_size + 2,
1718 "Data chunk (%u octets)", chunk_size);
1721 chunk_subtree = proto_item_add_subtree(chunk_ti,
1722 ett_http_chunk_data);
1724 proto_tree_add_text(chunk_subtree, tvb, offset,
1725 chunk_offset - offset, "Chunk size: %u octets",
1728 data_tvb = tvb_new_subset(tvb, chunk_offset, chunk_size, chunk_size);
1732 * XXX - just use "proto_tree_add_text()"?
1733 * This means that, in TShark, you get
1734 * the entire chunk dumped out in hex,
1735 * in addition to whatever dissection is
1736 * done on the reassembled data.
1738 call_dissector(data_handle, data_tvb, pinfo,
1741 proto_tree_add_text(chunk_subtree, tvb, chunk_offset +
1742 chunk_size, 2, "Chunk boundary");
1746 offset = chunk_offset + chunk_size + 2;
1747 datalen = tvb_reported_length_remaining(tvb, offset);
1750 if (new_tvb != NULL) {
1752 /* Placeholder for the day that composite tvbuffer's will work.
1753 tvb_composite_finalize(new_tvb);
1754 / * tvb_set_reported_length(new_tvb, chunked_data_size); * /
1758 * XXX - Don't free this, since the tvbuffer that was passed
1759 * may be used if the data spans multiple frames and reassembly
1768 * We didn't create a new tvb, so don't allow sub dissectors
1769 * try to decode the non-existent entity body.
1771 chunks_decoded = -1;
1774 return chunks_decoded;
1779 * Dissect the http data chunks and add them to the tree.
1782 chunked_encoding_dissector(tvbuff_t **tvb_ptr, packet_info *pinfo,
1783 proto_tree *tree, int offset)
1787 guint32 orig_datalen;
1788 gint chunks_decoded;
1789 gint chunked_data_size;
1790 proto_tree *subtree;
1794 if ((tvb_ptr == NULL) || (*tvb_ptr == NULL)) {
1800 datalen = tvb_reported_length_remaining(tvb, offset);
1805 ti = proto_tree_add_text(tree, tvb, offset, datalen,
1806 "HTTP chunked response");
1807 subtree = proto_item_add_subtree(ti, ett_http_chunked_response);
1810 /* Dechunk the "chunked response" to a new memory buffer */
1811 orig_datalen = datalen;
1812 raw_data = (guint8 *)wmem_alloc(pinfo->pool, datalen);
1815 chunked_data_size = 0;
1817 while (datalen > 0) {
1821 guint8 *chunk_string;
1825 linelen = tvb_find_line_end(tvb, offset, -1, &chunk_offset, TRUE);
1828 /* Can't get the chunk size line */
1832 chunk_string = tvb_get_string(wmem_packet_scope(), tvb, offset, linelen);
1834 if (chunk_string == NULL) {
1835 /* Can't get the chunk size line */
1839 c = (gchar*)chunk_string;
1842 * We don't care about the extensions.
1844 if ((c = strchr(c, ';'))) {
1848 chunk_size = (guint32)strtol((gchar*)chunk_string, NULL, 16);
1850 if (chunk_size > datalen) {
1852 * The chunk size is more than what's in the tvbuff,
1853 * so either the user hasn't enabled decoding, or all
1854 * of the segments weren't captured.
1856 chunk_size = datalen;
1859 chunked_data_size += chunk_size;
1861 DISSECTOR_ASSERT((raw_len+chunk_size) <= orig_datalen);
1862 tvb_memcpy(tvb, (guint8 *)(raw_data + raw_len), chunk_offset, chunk_size);
1863 raw_len += chunk_size;
1866 proto_item *chunk_ti;
1867 proto_tree *chunk_subtree;
1869 if(chunk_size == 0) {
1870 chunk_ti = proto_tree_add_text(subtree, tvb,
1872 chunk_offset - offset + chunk_size + 2,
1873 "End of chunked encoding");
1875 chunk_ti = proto_tree_add_text(subtree, tvb,
1877 chunk_offset - offset + chunk_size + 2,
1878 "Data chunk (%u octets)", chunk_size);
1881 chunk_subtree = proto_item_add_subtree(chunk_ti,
1882 ett_http_chunk_data);
1884 proto_tree_add_text(chunk_subtree, tvb, offset,
1885 chunk_offset - offset, "Chunk size: %u octets",
1888 data_tvb = tvb_new_subset(tvb, chunk_offset, chunk_size, datalen);
1891 * XXX - just use "proto_tree_add_text()"?
1892 * This means that, in TShark, you get
1893 * the entire chunk dumped out in hex,
1894 * in addition to whatever dissection is
1895 * done on the reassembled data.
1897 call_dissector(data_handle, data_tvb, pinfo,
1900 proto_tree_add_text(chunk_subtree, tvb, chunk_offset +
1901 chunk_size, 2, "Chunk boundary");
1905 offset = chunk_offset + 2 + chunk_size; /* beginning of next chunk */
1906 datalen = tvb_reported_length_remaining(tvb, offset);
1909 if (chunked_data_size > 0) {
1911 new_tvb = tvb_new_child_real_data(tvb, raw_data, chunked_data_size, chunked_data_size);
1915 * There was no actual chunk data, so don't allow sub dissectors
1916 * try to decode the non-existent entity body.
1918 chunks_decoded = -1;
1921 return chunks_decoded;
1925 /* Call a subdissector to handle HTTP CONNECT's traffic */
1927 http_payload_subdissector(tvbuff_t *tvb, proto_tree *tree,
1928 packet_info *pinfo, http_conv_t *conv_data, void* data)
1930 guint32 *ptr = NULL;
1931 guint32 uri_port, saved_port, srcport, destport;
1932 gchar **strings; /* An array for splitting the request URI into hostname and port */
1934 proto_tree *proxy_tree;
1935 conversation_t *conv;
1937 /* Grab the destination port number from the request URI to find the right subdissector */
1938 strings = g_strsplit(conv_data->request_uri, ":", 2);
1940 if(strings[0] != NULL && strings[1] != NULL) {
1942 * The string was successfully split in two
1943 * Create a proxy-connect subtree
1946 item = proto_tree_add_item(tree, proto_http, tvb, 0, -1, ENC_NA);
1947 proxy_tree = proto_item_add_subtree(item, ett_http);
1949 item = proto_tree_add_string(proxy_tree, hf_http_proxy_connect_host,
1950 tvb, 0, 0, strings[0]);
1951 PROTO_ITEM_SET_GENERATED(item);
1953 item = proto_tree_add_uint(proxy_tree, hf_http_proxy_connect_port,
1954 tvb, 0, 0, (guint32)strtol(strings[1], NULL, 10) );
1955 PROTO_ITEM_SET_GENERATED(item);
1958 uri_port = (int)strtol(strings[1], NULL, 10); /* Convert string to a base-10 integer */
1960 if (value_is_in_range(http_tcp_range, pinfo->destport)) {
1961 srcport = pinfo->srcport;
1962 destport = uri_port;
1965 destport = pinfo->destport;
1968 conv = find_conversation(PINFO_FD_NUM(pinfo), &pinfo->src, &pinfo->dst, PT_TCP, srcport, destport, 0);
1970 /* We may get stuck in a recursion loop if we let process_tcp_payload() call us.
1971 * So, if the port in the URI is one we're registered for or we have set up a
1972 * conversation (e.g., one we detected heuristically or via Decode-As) call the data
1973 * dissector directly.
1975 if (value_is_in_range(http_tcp_range, uri_port) || (conv && conv->dissector_handle == http_handle)) {
1976 call_dissector(data_handle, tvb, pinfo, tree);
1978 /* set pinfo->{src/dst port} and call the TCP sub-dissector lookup */
1979 if (value_is_in_range(http_tcp_range, pinfo->destport))
1980 ptr = &pinfo->destport;
1982 ptr = &pinfo->srcport;
1984 /* Increase pinfo->can_desegment because we are traversing
1985 * http and want to preserve desegmentation functionality for
1986 * the proxied protocol
1988 if( pinfo->can_desegment>0 )
1989 pinfo->can_desegment++;
1993 decode_tcp_ports(tvb, 0, pinfo, tree,
1994 pinfo->srcport, pinfo->destport, NULL,
1995 (struct tcpinfo *)data);
1999 g_strfreev(strings); /* Free the result of g_strsplit() above */
2005 * XXX - this won't handle HTTP 0.9 replies, but they're all data
2009 is_http_request_or_reply(const gchar *data, int linelen, http_type_t *type,
2010 ReqRespDissector *reqresp_dissector,
2011 http_conv_t *conv_data)
2013 int isHttpRequestOrReply = FALSE;
2016 * From RFC 2774 - An HTTP Extension Framework
2018 * Support the command prefix that identifies the presence of
2019 * a "mandatory" header.
2021 if (linelen >= 2 && strncmp(data, "M-", 2) == 0) {
2027 * From draft-cohen-gena-client-01.txt, available from the uPnP forum:
2028 * NOTIFY, SUBSCRIBE, UNSUBSCRIBE
2030 * From draft-ietf-dasl-protocol-00.txt, a now vanished Microsoft draft:
2033 if (linelen >= 5 && strncmp(data, "HTTP/", 5) == 0) {
2034 *type = HTTP_RESPONSE;
2035 isHttpRequestOrReply = TRUE; /* response */
2036 if (reqresp_dissector)
2037 *reqresp_dissector = basic_response_dissector;
2039 const guchar * ptr = (const guchar *)data;
2042 /* Look for the space following the Method */
2043 while (indx < linelen) {
2052 /* Check the methods that have same length */
2056 if (strncmp(data, "GET", indx) == 0 ||
2057 strncmp(data, "PUT", indx) == 0) {
2058 *type = HTTP_REQUEST;
2059 isHttpRequestOrReply = TRUE;
2061 else if (strncmp(data, "ICY", indx) == 0) {
2062 *type = HTTP_RESPONSE;
2063 isHttpRequestOrReply = TRUE;
2068 if (strncmp(data, "COPY", indx) == 0 ||
2069 strncmp(data, "HEAD", indx) == 0 ||
2070 strncmp(data, "LOCK", indx) == 0 ||
2071 strncmp(data, "MOVE", indx) == 0 ||
2072 strncmp(data, "POLL", indx) == 0 ||
2073 strncmp(data, "POST", indx) == 0) {
2074 *type = HTTP_REQUEST;
2075 isHttpRequestOrReply = TRUE;
2080 if (strncmp(data, "BCOPY", indx) == 0 ||
2081 strncmp(data, "BMOVE", indx) == 0 ||
2082 strncmp(data, "MKCOL", indx) == 0 ||
2083 strncmp(data, "TRACE", indx) == 0 ||
2084 strncmp(data, "LABEL", indx) == 0 || /* RFC 3253 8.2 */
2085 strncmp(data, "MERGE", indx) == 0) { /* RFC 3253 11.2 */
2086 *type = HTTP_REQUEST;
2087 isHttpRequestOrReply = TRUE;
2092 if (strncmp(data, "DELETE", indx) == 0 ||
2093 strncmp(data, "SEARCH", indx) == 0 ||
2094 strncmp(data, "UNLOCK", indx) == 0 ||
2095 strncmp(data, "REPORT", indx) == 0 || /* RFC 3253 3.6 */
2096 strncmp(data, "UPDATE", indx) == 0) { /* RFC 3253 7.1 */
2097 *type = HTTP_REQUEST;
2098 isHttpRequestOrReply = TRUE;
2100 else if (strncmp(data, "NOTIFY", indx) == 0) {
2101 *type = HTTP_NOTIFICATION;
2102 isHttpRequestOrReply = TRUE;
2107 if (strncmp(data, "BDELETE", indx) == 0 ||
2108 strncmp(data, "CONNECT", indx) == 0 ||
2109 strncmp(data, "OPTIONS", indx) == 0 ||
2110 strncmp(data, "CHECKIN", indx) == 0) { /* RFC 3253 4.4, 9.4 */
2111 *type = HTTP_REQUEST;
2112 isHttpRequestOrReply = TRUE;
2117 if (strncmp(data, "PROPFIND", indx) == 0 ||
2118 strncmp(data, "CHECKOUT", indx) == 0 || /* RFC 3253 4.3, 9.3 */
2119 strncmp(data, "CCM_POST", indx) == 0) {
2120 *type = HTTP_REQUEST;
2121 isHttpRequestOrReply = TRUE;
2126 if (strncmp(data, "SUBSCRIBE", indx) == 0) {
2127 *type = HTTP_NOTIFICATION;
2128 isHttpRequestOrReply = TRUE;
2129 } else if (strncmp(data, "PROPPATCH", indx) == 0 ||
2130 strncmp(data, "BPROPFIND", indx) == 0) {
2131 *type = HTTP_REQUEST;
2132 isHttpRequestOrReply = TRUE;
2137 if (strncmp(data, "BPROPPATCH", indx) == 0 ||
2138 strncmp(data, "UNCHECKOUT", indx) == 0 || /* RFC 3253 4.5 */
2139 strncmp(data, "MKACTIVITY", indx) == 0) { /* RFC 3253 13.5 */
2140 *type = HTTP_REQUEST;
2141 isHttpRequestOrReply = TRUE;
2146 if (strncmp(data, "MKWORKSPACE", indx) == 0 || /* RFC 3253 6.3 */
2147 strncmp(data, "RPC_CONNECT", indx) == 0 || /* [MS-RPCH] 2.1.1.1.1 */
2148 strncmp(data, "RPC_IN_DATA", indx) == 0) { /* [MS-RPCH] 2.1.2.1.1 */
2149 *type = HTTP_REQUEST;
2150 isHttpRequestOrReply = TRUE;
2151 } else if (strncmp(data, "UNSUBSCRIBE", indx) == 0) {
2152 *type = HTTP_NOTIFICATION;
2153 isHttpRequestOrReply = TRUE;
2158 if (strncmp(data, "RPC_OUT_DATA", indx) == 0) { /* [MS-RPCH] 2.1.2.1.2 */
2159 *type = HTTP_REQUEST;
2160 isHttpRequestOrReply = TRUE;
2165 if (strncmp(data, "VERSION-CONTROL", indx) == 0) { /* RFC 3253 3.5 */
2166 *type = HTTP_REQUEST;
2167 isHttpRequestOrReply = TRUE;
2172 if (strncmp(data, "BASELINE-CONTROL", indx) == 0) { /* RFC 3253 12.6 */
2173 *type = HTTP_REQUEST;
2174 isHttpRequestOrReply = TRUE;
2182 if (isHttpRequestOrReply && reqresp_dissector) {
2183 *reqresp_dissector = basic_request_dissector;
2185 stat_info->request_method = wmem_strndup(wmem_packet_scope(), data, indx+1);
2186 conv_data->request_method = wmem_strndup(wmem_file_scope(), data, indx+1);
2193 return isHttpRequestOrReply;
2205 #define HDR_NO_SPECIAL 0
2206 #define HDR_AUTHORIZATION 1
2207 #define HDR_AUTHENTICATE 2
2208 #define HDR_CONTENT_TYPE 3
2209 #define HDR_CONTENT_LENGTH 4
2210 #define HDR_CONTENT_ENCODING 5
2211 #define HDR_TRANSFER_ENCODING 6
2213 #define HDR_UPGRADE 8
2215 static const header_info headers[] = {
2216 { "Authorization", &hf_http_authorization, HDR_AUTHORIZATION },
2217 { "Proxy-Authorization", &hf_http_proxy_authorization, HDR_AUTHORIZATION },
2218 { "Proxy-Authenticate", &hf_http_proxy_authenticate, HDR_AUTHENTICATE },
2219 { "WWW-Authenticate", &hf_http_www_authenticate, HDR_AUTHENTICATE },
2220 { "Content-Type", &hf_http_content_type, HDR_CONTENT_TYPE },
2221 { "Content-Length", &hf_http_content_length_header, HDR_CONTENT_LENGTH },
2222 { "Content-Encoding", &hf_http_content_encoding, HDR_CONTENT_ENCODING },
2223 { "Transfer-Encoding", &hf_http_transfer_encoding, HDR_TRANSFER_ENCODING },
2224 { "Upgrade", &hf_http_upgrade, HDR_UPGRADE },
2225 { "User-Agent", &hf_http_user_agent, HDR_NO_SPECIAL },
2226 { "Host", &hf_http_host, HDR_HOST },
2227 { "Connection", &hf_http_connection, HDR_NO_SPECIAL },
2228 { "Cookie", &hf_http_cookie, HDR_NO_SPECIAL },
2229 { "Accept", &hf_http_accept, HDR_NO_SPECIAL },
2230 { "Referer", &hf_http_referer, HDR_NO_SPECIAL },
2231 { "Accept-Language", &hf_http_accept_language, HDR_NO_SPECIAL },
2232 { "Accept-Encoding", &hf_http_accept_encoding, HDR_NO_SPECIAL },
2233 { "Date", &hf_http_date, HDR_NO_SPECIAL },
2234 { "Cache-Control", &hf_http_cache_control, HDR_NO_SPECIAL },
2235 { "Server", &hf_http_server, HDR_NO_SPECIAL },
2236 { "Location", &hf_http_location, HDR_NO_SPECIAL },
2237 { "Sec-WebSocket-Accept", &hf_http_sec_websocket_accept, HDR_NO_SPECIAL },
2238 { "Sec-WebSocket-Extensions", &hf_http_sec_websocket_extensions, HDR_NO_SPECIAL },
2239 { "Sec-WebSocket-Key", &hf_http_sec_websocket_key, HDR_NO_SPECIAL },
2240 { "Sec-WebSocket-Protocol", &hf_http_sec_websocket_protocol, HDR_NO_SPECIAL },
2241 { "Sec-WebSocket-Version", &hf_http_sec_websocket_version, HDR_NO_SPECIAL },
2242 { "Set-Cookie", &hf_http_set_cookie, HDR_NO_SPECIAL },
2243 { "Last-Modified", &hf_http_last_modified, HDR_NO_SPECIAL },
2244 { "X-Forwarded-For", &hf_http_x_forwarded_for, HDR_NO_SPECIAL },
2251 get_hf_for_header(char* header_name)
2255 if (header_fields_hash) {
2256 hf_id = (gint*) g_hash_table_lookup(header_fields_hash, header_name);
2268 header_fields_initialize_cb(void)
2270 static hf_register_info* hf;
2275 if (header_fields_hash && hf) {
2276 guint hf_size = g_hash_table_size (header_fields_hash);
2277 /* Unregister all fields */
2278 for (i = 0; i < hf_size; i++) {
2279 proto_unregister_field (proto_http, *(hf[i].p_id));
2281 g_free (hf[i].p_id);
2282 g_free ((char *) hf[i].hfinfo.name);
2283 g_free ((char *) hf[i].hfinfo.abbrev);
2284 g_free ((char *) hf[i].hfinfo.blurb);
2286 g_hash_table_destroy (header_fields_hash);
2288 header_fields_hash = NULL;
2291 if (num_header_fields) {
2292 header_fields_hash = g_hash_table_new(g_str_hash, g_str_equal);
2293 hf = g_new0(hf_register_info, num_header_fields);
2295 for (i = 0; i < num_header_fields; i++) {
2296 hf_id = g_new(gint,1);
2298 header_name = g_strdup(header_fields[i].header_name);
2301 hf[i].hfinfo.name = header_name;
2302 hf[i].hfinfo.abbrev = g_strdup_printf("http.header.%s", header_name);
2303 hf[i].hfinfo.type = FT_STRING;
2304 hf[i].hfinfo.display = BASE_NONE;
2305 hf[i].hfinfo.strings = NULL;
2306 hf[i].hfinfo.blurb = g_strdup(header_fields[i].header_desc);
2307 hf[i].hfinfo.same_name_prev_id = -1;
2308 hf[i].hfinfo.same_name_next = NULL;
2310 g_hash_table_insert(header_fields_hash, header_name, hf_id);
2313 proto_register_field_array(proto_http, hf, num_header_fields);
2318 process_header(tvbuff_t *tvb, int offset, int next_offset,
2319 const guchar *line, int linelen, int colon_offset,
2320 packet_info *pinfo, proto_tree *tree, headers_t *eh_ptr,
2321 http_conv_t *conv_data, int http_type)
2324 int line_end_offset;
2334 proto_item *hdr_item, *it;
2338 len = next_offset - offset;
2339 line_end_offset = offset + linelen;
2340 header_len = colon_offset - offset;
2341 header_name = wmem_strndup(wmem_file_scope(), &line[0], header_len);
2342 hf_index = find_header_hf_value(tvb, offset, header_len);
2345 * Skip whitespace after the colon.
2347 value_offset = colon_offset + 1;
2348 while (value_offset < line_end_offset
2349 && ((c = line[value_offset - offset]) == ' ' || c == '\t'))
2355 * XXX - the line may well have a NUL in it. Wireshark should
2356 * really treat strings extracted from packets as counted
2357 * strings, so that NUL isn't any different from any other
2358 * character. For now, we just allocate a buffer that's
2359 * value_len+1 bytes long, copy value_len bytes, and stick
2360 * in a NUL terminator, so that the buffer for value actually
2361 * has value_len bytes in it.
2363 value_len = line_end_offset - value_offset;
2364 value = (char *)wmem_alloc(wmem_packet_scope(), value_len+1);
2365 memcpy(value, &line[value_offset - offset], value_len);
2366 value[value_len] = '\0';
2368 if (hf_index == -1) {
2370 * Not a header we know anything about.
2371 * Check if a HF generated from UAT information exists.
2373 hf_id = get_hf_for_header(header_name);
2377 if (http_type == HTTP_REQUEST ||
2378 http_type == HTTP_RESPONSE) {
2379 it = proto_tree_add_item(tree,
2380 http_type == HTTP_RESPONSE ?
2381 hf_http_response_line :
2382 hf_http_request_line,
2385 proto_item_set_text(it, "%s",
2386 format_text(line, len));
2388 proto_tree_add_text(tree, tvb, offset,
2389 len, "%s", format_text(line, len));
2393 proto_tree_add_string_format(tree,
2394 *hf_id, tvb, offset, len,
2395 value, "%s", format_text(line, len));
2396 if (http_type == HTTP_REQUEST ||
2397 http_type == HTTP_RESPONSE) {
2398 it = proto_tree_add_item(tree,
2399 http_type == HTTP_RESPONSE ?
2400 hf_http_response_line :
2401 hf_http_request_line,
2404 proto_item_set_text(it, "%s",
2405 format_text(line, len));
2406 PROTO_ITEM_SET_HIDDEN(it);
2412 * Add it to the protocol tree as a particular field,
2413 * but display the line as is.
2416 header_field_info *hfinfo;
2419 hfinfo = proto_registrar_get_nth(*headers[hf_index].hf);
2420 switch(hfinfo->type){
2429 tmp=(guint32)strtol(value, NULL, 10);
2430 hdr_item = proto_tree_add_uint(tree, *headers[hf_index].hf, tvb, offset, len, tmp);
2431 if (http_type == HTTP_REQUEST ||
2432 http_type == HTTP_RESPONSE) {
2433 it = proto_tree_add_item(tree,
2434 http_type == HTTP_RESPONSE ?
2435 hf_http_response_line :
2436 hf_http_request_line,
2439 proto_item_set_text(it, "%d", tmp);
2440 PROTO_ITEM_SET_HIDDEN(it);
2444 hdr_item = proto_tree_add_string_format(tree,
2445 *headers[hf_index].hf, tvb, offset, len,
2446 value, "%s", format_text(line, len));
2447 if (http_type == HTTP_REQUEST ||
2448 http_type == HTTP_RESPONSE) {
2449 it = proto_tree_add_item(tree,
2450 http_type == HTTP_RESPONSE ?
2451 hf_http_response_line :
2452 hf_http_request_line,
2455 proto_item_set_text(it, "%s",
2456 format_text(line, len));
2457 PROTO_ITEM_SET_HIDDEN(it);
2464 * Do any special processing that particular headers
2467 switch (headers[hf_index].special) {
2469 case HDR_AUTHORIZATION:
2470 if (check_auth_ntlmssp(hdr_item, tvb, pinfo, value))
2471 break; /* dissected NTLMSSP */
2472 if (check_auth_basic(hdr_item, tvb, value))
2473 break; /* dissected basic auth */
2474 check_auth_kerberos(hdr_item, tvb, pinfo, value);
2477 case HDR_AUTHENTICATE:
2478 if (check_auth_ntlmssp(hdr_item, tvb, pinfo, value))
2479 break; /* dissected NTLMSSP */
2480 check_auth_kerberos(hdr_item, tvb, pinfo, value);
2483 case HDR_CONTENT_TYPE:
2484 eh_ptr->content_type = (gchar*) wmem_memdup(wmem_packet_scope(), (guint8*)value,value_len + 1);
2486 for (i = 0; i < value_len; i++) {
2488 if (c == ';' || g_ascii_isspace(c)) {
2490 * End of subtype - either
2491 * white space or a ";"
2492 * separating the subtype from
2499 * Map the character to lower case;
2500 * content types are case-insensitive.
2502 eh_ptr->content_type[i] = g_ascii_tolower(eh_ptr->content_type[i]);
2504 eh_ptr->content_type[i] = '\0';
2506 * Now find the start of the optional parameters;
2507 * skip the optional white space and the semicolon
2508 * if this has not been done before.
2511 while (i < value_len) {
2512 c = eh_ptr->content_type[i];
2513 if (c == ';' || g_ascii_isspace(c))
2514 /* Skip till start of parameters */
2520 eh_ptr->content_type_parameters = eh_ptr->content_type + i;
2522 eh_ptr->content_type_parameters = NULL;
2525 case HDR_CONTENT_LENGTH:
2527 eh_ptr->content_length = g_ascii_strtoll(value, &p, 10);
2529 if (eh_ptr->content_length < 0 ||
2532 (*up != '\0' && !isspace(*up))) {
2534 * Content length not valid; pretend
2537 eh_ptr->have_content_length = FALSE;
2539 proto_tree *header_tree;
2540 proto_item *tree_item;
2542 * We do have a valid content length.
2544 eh_ptr->have_content_length = TRUE;
2545 header_tree = proto_item_add_subtree(hdr_item, ett_http_header_item);
2546 tree_item = proto_tree_add_uint64(header_tree, hf_http_content_length,
2547 tvb, offset, len, eh_ptr->content_length);
2548 PROTO_ITEM_SET_GENERATED(tree_item);
2549 if (eh_ptr->transfer_encoding != NULL &&
2550 g_ascii_strncasecmp(eh_ptr->transfer_encoding, "chunked", 7) == 0) {
2551 expert_add_info(pinfo, hdr_item, &ei_http_chunked_and_length);
2556 case HDR_CONTENT_ENCODING:
2557 eh_ptr->content_encoding = wmem_strndup(wmem_packet_scope(), value, value_len);
2560 case HDR_TRANSFER_ENCODING:
2561 eh_ptr->transfer_encoding = wmem_strndup(wmem_packet_scope(), value, value_len);
2562 if (eh_ptr->have_content_length &&
2563 g_ascii_strncasecmp(eh_ptr->transfer_encoding, "chunked", 7) == 0) {
2564 expert_add_info(pinfo, hdr_item, &ei_http_chunked_and_length);
2569 stat_info->http_host = wmem_strndup(wmem_packet_scope(), value, value_len);
2570 conv_data->http_host = wmem_strndup(wmem_file_scope(), value, value_len);
2574 if (g_ascii_strncasecmp(value, "WebSocket", value_len) == 0){
2575 eh_ptr->upgrade = UPGRADE_WEBSOCKET;
2577 /* Check if upgrade is HTTP 2.0 (work for HTTP/2.0 and draft HTTP-draft-XX/2.0) */
2578 if ( (g_str_has_prefix(value, "HTTP") && g_str_has_suffix(value, "/2.0")) == 1){
2579 eh_ptr->upgrade = UPGRADE_HTTP2;
2586 /* Returns index of header tag in headers */
2588 find_header_hf_value(tvbuff_t *tvb, int offset, guint header_len)
2592 for (i = 0; i < array_length(headers); i++) {
2593 if (header_len == strlen(headers[i].name) &&
2594 tvb_strncaseeql(tvb, offset,
2595 headers[i].name, header_len) == 0)
2603 * Dissect Microsoft's abomination called NTLMSSP over HTTP.
2606 check_auth_ntlmssp(proto_item *hdr_item, tvbuff_t *tvb, packet_info *pinfo, gchar *value)
2608 static const char *ntlm_headers[] = {
2613 const char **header;
2615 proto_tree *hdr_tree;
2618 * Check for NTLM credentials and challenge; those can
2619 * occur with WWW-Authenticate.
2621 for (header = &ntlm_headers[0]; *header != NULL; header++) {
2622 hdrlen = strlen(*header);
2623 if (strncmp(value, *header, hdrlen) == 0) {
2624 if (hdr_item != NULL) {
2625 hdr_tree = proto_item_add_subtree(hdr_item,
2630 dissect_http_ntlmssp(tvb, pinfo, hdr_tree, value);
2638 * Dissect HTTP Basic authorization.
2641 check_auth_basic(proto_item *hdr_item, tvbuff_t *tvb, gchar *value)
2643 static const char *basic_headers[] = {
2647 const char **header;
2649 proto_tree *hdr_tree;
2651 for (header = &basic_headers[0]; *header != NULL; header++) {
2652 hdrlen = strlen(*header);
2653 if (strncmp(value, *header, hdrlen) == 0) {
2654 if (hdr_item != NULL) {
2655 hdr_tree = proto_item_add_subtree(hdr_item,
2661 ws_base64_decode_inplace(value);
2662 proto_tree_add_string(hdr_tree, hf_http_basic, tvb,
2672 check_auth_kerberos(proto_item *hdr_item, tvbuff_t *tvb, packet_info *pinfo, const gchar *value)
2674 proto_tree *hdr_tree;
2676 if (strncmp(value, "Kerberos ", 9) == 0) {
2677 if (hdr_item != NULL) {
2678 hdr_tree = proto_item_add_subtree(hdr_item, ett_http_kerberos);
2682 dissect_http_kerberos(tvb, pinfo, hdr_tree, value);
2689 dissect_http(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, void* data)
2691 http_conv_t *conv_data;
2696 * Check if this is proxied connection and if so, hand of dissection to the
2697 * payload-dissector.
2698 * Response code 200 means "OK" and strncmp() == 0 means the strings match exactly */
2699 conv_data = get_http_conversation_data(pinfo);
2700 if(pinfo->fd->num >= conv_data->startframe &&
2701 conv_data->response_code == 200 &&
2702 conv_data->request_method &&
2703 strncmp(conv_data->request_method, "CONNECT", 7) == 0 &&
2704 conv_data->request_uri) {
2705 if(conv_data->startframe == 0 && !pinfo->fd->flags.visited)
2706 conv_data->startframe = pinfo->fd->num;
2707 http_payload_subdissector(tvb, tree, pinfo, conv_data, data);
2709 while (tvb_reported_length_remaining(tvb, offset) > 0) {
2710 if (conv_data->upgrade == UPGRADE_WEBSOCKET && pinfo->fd->num >= conv_data->startframe) {
2711 /*g_warning("Go Websocket");*/
2712 call_dissector_only(websocket_handle, tvb_new_subset_remaining(tvb, offset), pinfo, tree, NULL);
2715 if (conv_data->upgrade == UPGRADE_HTTP2 && pinfo->fd->num >= conv_data->startframe) {
2716 /*g_warning("Go HTTP2");*/
2717 call_dissector_only(http2_handle, tvb_new_subset_remaining(tvb, offset), pinfo, tree, NULL);
2720 len = dissect_http_message(tvb, offset, pinfo, tree, conv_data);
2726 * OK, we've set the Protocol and Info columns for the
2727 * first HTTP message; set a fence so that subsequent
2728 * HTTP messages don't overwrite the Info column.
2730 col_set_fence(pinfo->cinfo, COL_INFO);
2734 return tvb_length(tvb);
2738 dissect_http_heur_tcp(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree, void *data)
2740 gint offset = 0, next_offset, linelen;
2741 conversation_t *conversation;
2744 /* Check if we have a line terminated by CRLF
2745 * Return the length of the line (not counting the line terminator at
2746 * the end), or, if we don't find a line terminator:
2748 * if "deseg" is true, return -1;
2750 linelen = tvb_find_line_end(tvb, offset, -1, &next_offset, TRUE);
2751 if((linelen == -1)||(linelen == 8)){
2755 /* Check if the line start or ends with the HTTP token */
2756 if((tvb_strncaseeql(tvb, linelen-8, "HTTP/1.1", 8) == 0)||(tvb_strncaseeql(tvb, 0, "HTTP/1.1", 8) == 0)){
2757 conversation = find_or_create_conversation(pinfo);
2758 conversation_set_dissector(conversation,http_handle);
2759 dissect_http(tvb, pinfo, tree, data);
2767 dissect_http_udp(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree)
2769 http_conv_t *conv_data;
2771 conv_data = get_http_conversation_data(pinfo);
2772 dissect_http_message(tvb, 0, pinfo, tree, conv_data);
2777 range_delete_http_ssl_callback(guint32 port) {
2778 ssl_dissector_delete(port, "http", TRUE);
2782 range_add_http_ssl_callback(guint32 port) {
2783 ssl_dissector_add(port, "http", TRUE);
2786 static void reinit_http(void) {
2787 dissector_delete_uint_range("tcp.port", http_tcp_range, http_handle);
2788 g_free(http_tcp_range);
2789 http_tcp_range = range_copy(global_http_tcp_range);
2790 dissector_add_uint_range("tcp.port", http_tcp_range, http_handle);
2792 range_foreach(http_ssl_range, range_delete_http_ssl_callback);
2793 g_free(http_ssl_range);
2794 http_ssl_range = range_copy(global_http_ssl_range);
2795 range_foreach(http_ssl_range, range_add_http_ssl_callback);
2799 proto_register_http(void)
2801 static hf_register_info hf[] = {
2802 { &hf_http_notification,
2803 { "Notification", "http.notification",
2804 FT_BOOLEAN, BASE_NONE, NULL, 0x0,
2805 "TRUE if HTTP notification", HFILL }},
2806 { &hf_http_response,
2807 { "Response", "http.response",
2808 FT_BOOLEAN, BASE_NONE, NULL, 0x0,
2809 "TRUE if HTTP response", HFILL }},
2811 { "Request", "http.request",
2812 FT_BOOLEAN, BASE_NONE, NULL, 0x0,
2813 "TRUE if HTTP request", HFILL }},
2815 { "Credentials", "http.authbasic",
2816 FT_STRING, BASE_NONE, NULL, 0x0, NULL, HFILL }},
2817 { &hf_http_response_line,
2818 { "Response line", "http.response.line",
2819 FT_STRING, BASE_NONE, NULL, 0x0, NULL, HFILL }},
2820 { &hf_http_request_line,
2821 { "Request line", "http.request.line",
2822 FT_STRING, BASE_NONE, NULL, 0x0, NULL, HFILL }},
2823 { &hf_http_request_method,
2824 { "Request Method", "http.request.method",
2825 FT_STRING, BASE_NONE, NULL, 0x0,
2826 "HTTP Request Method", HFILL }},
2827 { &hf_http_request_uri,
2828 { "Request URI", "http.request.uri",
2829 FT_STRING, BASE_NONE, NULL, 0x0,
2830 "HTTP Request-URI", HFILL }},
2832 { "Request Version", "http.request.version",
2833 FT_STRING, BASE_NONE, NULL, 0x0,
2834 "HTTP Request HTTP-Version", HFILL }},
2835 { &hf_http_request_full_uri,
2836 { "Full request URI", "http.request.full_uri",
2837 FT_STRING, BASE_NONE, NULL, 0x0,
2838 "The full requested URI (including host name)", HFILL }},
2839 { &hf_http_response_code,
2840 { "Status Code", "http.response.code",
2841 FT_UINT16, BASE_DEC, NULL, 0x0,
2842 "HTTP Response Status Code", HFILL }},
2843 { &hf_http_response_phrase,
2844 { "Response Phrase", "http.response.phrase",
2845 FT_STRING, BASE_NONE, NULL, 0x0,
2846 "HTTP Response Reason Phrase", HFILL }},
2847 { &hf_http_authorization,
2848 { "Authorization", "http.authorization",
2849 FT_STRING, BASE_NONE, NULL, 0x0,
2850 "HTTP Authorization header", HFILL }},
2851 { &hf_http_proxy_authenticate,
2852 { "Proxy-Authenticate", "http.proxy_authenticate",
2853 FT_STRING, BASE_NONE, NULL, 0x0,
2854 "HTTP Proxy-Authenticate header", HFILL }},
2855 { &hf_http_proxy_authorization,
2856 { "Proxy-Authorization", "http.proxy_authorization",
2857 FT_STRING, BASE_NONE, NULL, 0x0,
2858 "HTTP Proxy-Authorization header", HFILL }},
2859 { &hf_http_proxy_connect_host,
2860 { "Proxy-Connect-Hostname", "http.proxy_connect_host",
2861 FT_STRING, BASE_NONE, NULL, 0x0,
2862 "HTTP Proxy Connect Hostname", HFILL }},
2863 { &hf_http_proxy_connect_port,
2864 { "Proxy-Connect-Port", "http.proxy_connect_port",
2865 FT_UINT16, BASE_DEC, NULL, 0x0,
2866 "HTTP Proxy Connect Port", HFILL }},
2867 { &hf_http_www_authenticate,
2868 { "WWW-Authenticate", "http.www_authenticate",
2869 FT_STRING, BASE_NONE, NULL, 0x0,
2870 "HTTP WWW-Authenticate header", HFILL }},
2871 { &hf_http_content_type,
2872 { "Content-Type", "http.content_type",
2873 FT_STRING, BASE_NONE, NULL, 0x0,
2874 "HTTP Content-Type header", HFILL }},
2875 { &hf_http_content_length_header,
2876 { "Content-Length", "http.content_length_header",
2877 FT_STRING, BASE_NONE, NULL, 0x0,
2878 "HTTP Content-Length header", HFILL }},
2879 { &hf_http_content_length,
2880 { "Content length", "http.content_length",
2881 FT_UINT64, BASE_DEC, NULL, 0x0,
2883 { &hf_http_content_encoding,
2884 { "Content-Encoding", "http.content_encoding",
2885 FT_STRING, BASE_NONE, NULL, 0x0,
2886 "HTTP Content-Encoding header", HFILL }},
2887 { &hf_http_transfer_encoding,
2888 { "Transfer-Encoding", "http.transfer_encoding",
2889 FT_STRING, BASE_NONE, NULL, 0x0,
2890 "HTTP Transfer-Encoding header", HFILL }},
2892 { "Upgrade", "http.upgrade",
2893 FT_STRING, BASE_NONE, NULL, 0x0,
2894 "HTTP Upgrade header", HFILL }},
2895 { &hf_http_user_agent,
2896 { "User-Agent", "http.user_agent",
2897 FT_STRING, BASE_NONE, NULL, 0x0,
2898 "HTTP User-Agent header", HFILL }},
2900 { "Host", "http.host",
2901 FT_STRING, BASE_NONE, NULL, 0x0,
2902 "HTTP Host", HFILL }},
2903 { &hf_http_connection,
2904 { "Connection", "http.connection",
2905 FT_STRING, BASE_NONE, NULL, 0x0,
2906 "HTTP Connection", HFILL }},
2908 { "Cookie", "http.cookie",
2909 FT_STRING, BASE_NONE, NULL, 0x0,
2910 "HTTP Cookie", HFILL }},
2912 { "Accept", "http.accept",
2913 FT_STRING, BASE_NONE, NULL, 0x0,
2914 "HTTP Accept", HFILL }},
2916 { "Referer", "http.referer",
2917 FT_STRING, BASE_NONE, NULL, 0x0,
2918 "HTTP Referer", HFILL }},
2919 { &hf_http_accept_language,
2920 { "Accept-Language", "http.accept_language",
2921 FT_STRING, BASE_NONE, NULL, 0x0,
2922 "HTTP Accept Language", HFILL }},
2923 { &hf_http_accept_encoding,
2924 { "Accept Encoding", "http.accept_encoding",
2925 FT_STRING, BASE_NONE, NULL, 0x0,
2926 "HTTP Accept Encoding", HFILL }},
2928 { "Date", "http.date",
2929 FT_STRING, BASE_NONE, NULL, 0x0,
2930 "HTTP Date", HFILL }},
2931 { &hf_http_cache_control,
2932 { "Cache-Control", "http.cache_control",
2933 FT_STRING, BASE_NONE, NULL, 0x0,
2934 "HTTP Cache Control", HFILL }},
2936 { "Server", "http.server",
2937 FT_STRING, BASE_NONE, NULL, 0x0,
2938 "HTTP Server", HFILL }},
2939 { &hf_http_location,
2940 { "Location", "http.location",
2941 FT_STRING, BASE_NONE, NULL, 0x0,
2942 "HTTP Location", HFILL }},
2943 { &hf_http_sec_websocket_accept,
2944 { "Sec-WebSocket-Accept", "http.sec_websocket_accept",
2945 FT_STRING, BASE_NONE, NULL, 0x0,
2947 { &hf_http_sec_websocket_extensions,
2948 { "Sec-WebSocket-Extensions", "http.sec_websocket_extensions",
2949 FT_STRING, BASE_NONE, NULL, 0x0,
2951 { &hf_http_sec_websocket_key,
2952 { "Sec-WebSocket-Key", "http.sec_websocket_key",
2953 FT_STRING, BASE_NONE, NULL, 0x0,
2955 { &hf_http_sec_websocket_protocol,
2956 { "Sec-WebSocket-Protocol", "http.sec_websocket_protocol",
2957 FT_STRING, BASE_NONE, NULL, 0x0,
2959 { &hf_http_sec_websocket_version,
2960 { "Sec-WebSocket-Version", "http.sec_websocket_version",
2961 FT_STRING, BASE_NONE, NULL, 0x0,
2963 { &hf_http_set_cookie,
2964 { "Set-Cookie", "http.set_cookie",
2965 FT_STRING, BASE_NONE, NULL, 0x0,
2966 "HTTP Set Cookie", HFILL }},
2967 { &hf_http_last_modified,
2968 { "Last-Modified", "http.last_modified",
2969 FT_STRING, BASE_NONE, NULL, 0x0,
2970 "HTTP Last Modified", HFILL }},
2971 { &hf_http_x_forwarded_for,
2972 { "X-Forwarded-For", "http.x_forwarded_for",
2973 FT_STRING, BASE_NONE, NULL, 0x0,
2974 "HTTP X-Forwarded-For", HFILL }},
2975 { &hf_http_request_in,
2976 { "Request in frame", "http.request_in",
2977 FT_FRAMENUM, BASE_NONE, NULL, 0,
2978 "This packet is a response to the packet with this number", HFILL }},
2979 { &hf_http_response_in,
2980 { "Response in frame","http.response_in",
2981 FT_FRAMENUM, BASE_NONE, NULL, 0,
2982 "This packet will be responded in the packet with this number", HFILL }},
2983 { &hf_http_next_request_in,
2984 { "Next request in frame", "http.next_request_in",
2985 FT_FRAMENUM, BASE_NONE, NULL, 0,
2986 "The next HTTP request starts in packet number", HFILL }},
2987 { &hf_http_next_response_in,
2988 { "Next response in frame","http.next_response_in",
2989 FT_FRAMENUM, BASE_NONE, NULL, 0,
2990 "The next HTTP response starts in packet number", HFILL }},
2991 { &hf_http_prev_request_in,
2992 { "Prev request in frame", "http.prev_request_in",
2993 FT_FRAMENUM, BASE_NONE, NULL, 0,
2994 "The previous HTTP request starts in packet number", HFILL }},
2995 { &hf_http_prev_response_in,
2996 { "Prev response in frame","http.prev_response_in",
2997 FT_FRAMENUM, BASE_NONE, NULL, 0,
2998 "The previous HTTP response starts in packet number", HFILL }},
3000 { "Time since request", "http.time",
3001 FT_RELATIVE_TIME, BASE_NONE, NULL, 0,
3002 "Time since the request was send", HFILL }},
3004 static gint *ett[] = {
3009 &ett_http_chunked_response,
3010 &ett_http_chunk_data,
3011 &ett_http_encoded_entity,
3012 &ett_http_header_item
3015 static ei_register_info ei[] = {
3016 { &ei_http_chat, { "http.chat", PI_SEQUENCE, PI_CHAT, "Formatted text", EXPFILL }},
3017 { &ei_http_chunked_and_length, { "http.chunkd_and_length", PI_MALFORMED, PI_WARN, "It is incorrect to specify a content-length header and chunked encoding together.", EXPFILL }},
3018 { &ei_http_subdissector_failed, { "http.subdissector_failed", PI_MALFORMED, PI_NOTE, "HTTP body subdissector failed, trying heuristic subdissector", EXPFILL }},
3021 /* UAT for header fields */
3022 static uat_field_t custom_header_uat_fields[] = {
3023 UAT_FLD_CSTRING(header_fields, header_name, "Header name", "HTTP header name"),
3024 UAT_FLD_CSTRING(header_fields, header_desc, "Field desc", "Description of the value contained in the header"),
3028 module_t *http_module;
3029 expert_module_t* expert_http;
3032 proto_http = proto_register_protocol("Hypertext Transfer Protocol",
3034 proto_register_field_array(proto_http, hf, array_length(hf));
3035 proto_register_subtree_array(ett, array_length(ett));
3036 expert_http = expert_register_protocol(proto_http);
3037 expert_register_field_array(expert_http, ei, array_length(ei));
3039 http_handle = new_register_dissector("http", dissect_http, proto_http);
3041 http_module = prefs_register_protocol(proto_http, reinit_http);
3042 prefs_register_bool_preference(http_module, "desegment_headers",
3043 "Reassemble HTTP headers spanning multiple TCP segments",
3044 "Whether the HTTP dissector should reassemble headers "
3045 "of a request spanning multiple TCP segments. "
3046 "To use this option, you must also enable "
3047 "\"Allow subdissectors to reassemble TCP streams\" in the TCP protocol settings.",
3048 &http_desegment_headers);
3049 prefs_register_bool_preference(http_module, "desegment_body",
3050 "Reassemble HTTP bodies spanning multiple TCP segments",
3051 "Whether the HTTP dissector should use the "
3052 "\"Content-length:\" value, if present, to reassemble "
3053 "the body of a request spanning multiple TCP segments, "
3054 "and reassemble chunked data spanning multiple TCP segments. "
3055 "To use this option, you must also enable "
3056 "\"Allow subdissectors to reassemble TCP streams\" in the TCP protocol settings.",
3057 &http_desegment_body);
3058 prefs_register_bool_preference(http_module, "dechunk_body",
3059 "Reassemble chunked transfer-coded bodies",
3060 "Whether to reassemble bodies of entities that are transferred "
3061 "using the \"Transfer-Encoding: chunked\" method",
3062 &http_dechunk_body);
3064 prefs_register_bool_preference(http_module, "decompress_body",
3065 "Uncompress entity bodies",
3066 "Whether to uncompress entity bodies that are compressed "
3067 "using \"Content-Encoding: \"",
3068 &http_decompress_body);
3070 prefs_register_obsolete_preference(http_module, "tcp_alternate_port");
3072 range_convert_str(&global_http_tcp_range, TCP_DEFAULT_RANGE, 65535);
3073 http_tcp_range = range_empty();
3074 prefs_register_range_preference(http_module, "tcp.port", "TCP Ports",
3076 &global_http_tcp_range, 65535);
3078 range_convert_str(&global_http_ssl_range, SSL_DEFAULT_RANGE, 65535);
3079 http_ssl_range = range_empty();
3080 prefs_register_range_preference(http_module, "ssl.port", "SSL/TLS Ports",
3081 "SSL/TLS Ports range",
3082 &global_http_ssl_range, 65535);
3084 headers_uat = uat_new("Custom HTTP headers fields Table",
3085 sizeof(header_field_t),
3086 "custom_http_header_fields",
3090 /* specifies named fields, so affects dissection
3091 and the set of named fields */
3092 UAT_AFFECTS_DISSECTION|UAT_AFFECTS_FIELDS,
3094 header_fields_copy_cb,
3095 header_fields_update_cb,
3096 header_fields_free_cb,
3097 header_fields_initialize_cb,
3098 custom_header_uat_fields
3101 prefs_register_uat_preference(http_module, "custom_http_header_fields", "Custom HTTP headers fields",
3102 "A table to define custom HTTP header for which fields can be setup and used for filtering/data extraction etc.",
3106 * Dissectors shouldn't register themselves in this table;
3107 * instead, they should call "http_dissector_add()", and
3108 * we'll register the port number they specify as a port
3109 * for HTTP, and register them in our subdissector table.
3111 * This only works for protocols such as IPP that run over
3112 * HTTP on a specific non-HTTP port.
3114 port_subdissector_table = register_dissector_table("http.port",
3115 "TCP port for protocols using HTTP", FT_UINT16, BASE_DEC);
3118 * Dissectors can register themselves in this table.
3119 * It's just "media_type", not "http.content_type", because
3120 * it's an Internet media type, usable by other protocols as well.
3122 media_type_subdissector_table =
3123 register_dissector_table("media_type",
3124 "Internet media type", FT_STRING, BASE_NONE);
3127 * Heuristic dissectors SHOULD register themselves in
3128 * this table using the standard heur_dissector_add()
3131 register_heur_dissector_list("http", &heur_subdissector_list);
3134 * Register for tapping
3136 http_tap = register_tap("http"); /* HTTP statistics tap */
3137 http_eo_tap = register_tap("http_eo"); /* HTTP Export Object tap */
3141 * Called by dissectors for protocols that run atop HTTP/TCP.
3144 http_dissector_add(guint32 port, dissector_handle_t handle)
3147 * Register ourselves as the handler for that port number
3150 dissector_add_uint("tcp.port", port, http_handle);
3153 * And register them in *our* table for that port.
3155 dissector_add_uint("http.port", port, handle);
3159 http_port_add(guint32 port)
3162 * Register ourselves as the handler for that port number
3163 * over TCP. We rely on our caller having registered
3164 * themselves for the appropriate media type.
3166 dissector_add_uint("tcp.port", port, http_handle);
3170 proto_reg_handoff_http(void)
3172 dissector_handle_t http_udp_handle;
3174 data_handle = find_dissector("data");
3175 media_handle = find_dissector("media");
3176 websocket_handle = find_dissector("websocket");
3177 http2_handle = find_dissector("http2");
3179 * XXX - is there anything to dissect in the body of an SSDP
3180 * request or reply? I.e., should there be an SSDP dissector?
3182 http_udp_handle = create_dissector_handle(dissect_http_udp, proto_http);
3183 dissector_add_uint("udp.port", UDP_PORT_SSDP, http_udp_handle);
3185 ntlmssp_handle = find_dissector("ntlmssp");
3186 gssapi_handle = find_dissector("gssapi");
3188 stats_tree_register("http", "http", "HTTP/Packet Counter", 0, http_stats_tree_packet, http_stats_tree_init, NULL );
3189 stats_tree_register("http", "http_req", "HTTP/Requests", 0, http_req_stats_tree_packet, http_req_stats_tree_init, NULL );
3190 stats_tree_register("http", "http_srv", "HTTP/Load Distribution",0, http_reqs_stats_tree_packet, http_reqs_stats_tree_init, NULL );
3195 * Content-Type: message/http
3198 static gint proto_message_http = -1;
3199 static gint ett_message_http = -1;
3202 dissect_message_http(tvbuff_t *tvb, packet_info *pinfo, proto_tree *tree)
3204 proto_tree *subtree;
3206 gint offset = 0, next_offset;
3209 col_append_str(pinfo->cinfo, COL_INFO, " (message/http)");
3211 ti = proto_tree_add_item(tree, proto_message_http,
3212 tvb, 0, -1, ENC_NA);
3213 subtree = proto_item_add_subtree(ti, ett_message_http);
3214 while (tvb_reported_length_remaining(tvb, offset) > 0) {
3215 len = tvb_find_line_end(tvb, offset,
3216 tvb_ensure_length_remaining(tvb, offset),
3217 &next_offset, FALSE);
3220 proto_tree_add_text(subtree, tvb, offset, next_offset - offset,
3221 "%s", tvb_format_text(tvb, offset, len));
3222 offset = next_offset;
3228 proto_register_message_http(void)
3230 static gint *ett[] = {
3234 proto_message_http = proto_register_protocol(
3235 "Media Type: message/http",
3239 proto_register_subtree_array(ett, array_length(ett));
3243 proto_reg_handoff_message_http(void)
3245 dissector_handle_t message_http_handle;
3247 message_http_handle = create_dissector_handle(dissect_message_http,
3248 proto_message_http);
3250 dissector_add_string("media_type", "message/http", message_http_handle);
3252 heur_dissector_add("tcp", dissect_http_heur_tcp, proto_http);
3259 * Editor modelines - http://www.wireshark.org/tools/modelines.html
3264 * indent-tabs-mode: t
3267 * vi: set shiftwidth=8 tabstop=8 noexpandtab:
3268 * :indentSize=8:tabSize=8:noTabs=false: